UMBRELLA STAND is a sophisticated malware targeting FortiGate 100D series firewalls produced by Fortinet. It contains remote shell execution functionality, configurable beacon frequency, and AES-encrypted C2 communications. The malware uses fake TLS on port 443 to beacon to its C2 server and has the ability to run shell commands. It employs various defense evasion techniques such as hidden folders, generic filenames, and string encryption. UMBRELLA STAND also has persistence mechanisms through reboot hooking and ldpreload. Associated tooling includes BusyBox, nbtscan, tcpdump, and openLDAP. The malware demonstrates operational security considerations and shares similarities with previously reported COATHANGER malware. Author: AlienVault
Related Tags:
firewall
SHOE RACK
UMBRELLA STAND
fortinet
aes encryption
c2
persistence
defense evasion
Government
Associated Indicators:
591D60C1D356DA827A26F4141FA431D3663AF91746D5371014695B1C89BAC2B2
38801CAAE26916367DD6CF6E8C55E50ED62526FE242CD0343DFE80A70564C28A
6A3ABC19F324A475D4CE01FCC69797FC90E1A47970ED90E9CB01F540F3000B4E
D1D5F502E2039B20269B562BBC1E5622A73BBECAD54CB25AE5EAA7A91504E70E
8BACD5DF99476328321A7E8E2FC0124C20F7A7EBF3E8F151C050387038515B70
D3B88B7F640E478D8D875E12B4561E8C794909E4954AEBBC6FD1F5E79F381648
A64B41E98E3E1066F41FBFF5D4F99F6D34B792D35FE2BE7E5D9FA8F3F8B93739
65F1E17F7FA2E2FD9C57265F390484A7428C192F59EE41FC7C0D8386EA3B811A
190293440FCE95F45EB8BF5D40334B41DD68C79578D06FE9B34670298DAEA7F3