UMBRELLA STAND is a sophisticated malware targeting FortiGate 100D series firewalls produced by Fortinet. It contains remote shell execution functionality, configurable beacon frequency, and AES-encrypted C2 communications. The malware uses fake TLS on port 443 to beacon to its C2 server and has the ability to run shell commands. It employs various defense evasion techniques such as hidden folders, generic filenames, and string encryption. UMBRELLA STAND also has persistence mechanisms through reboot hooking and ldpreload. Associated tooling includes BusyBox, nbtscan, tcpdump, and openLDAP. The malware demonstrates operational security considerations and shares similarities with previously reported COATHANGER malware. Author: AlienVault
Related Tags:
firewall
SHOE RACK
UMBRELLA STAND
fortinet
aes encryption
c2
persistence
defense evasion
Government
Associated Indicators:
38801CAAE26916367DD6CF6E8C55E50ED62526FE242CD0343DFE80A70564C28A
D1D5F502E2039B20269B562BBC1E5622A73BBECAD54CB25AE5EAA7A91504E70E
D3B88B7F640E478D8D875E12B4561E8C794909E4954AEBBC6FD1F5E79F381648
65F1E17F7FA2E2FD9C57265F390484A7428C192F59EE41FC7C0D8386EA3B811A
C8183D12C2070CF04CD03F080904ED1312A56911
99DDE2DF0B8B31FCE5807D710C1B8D9018A56F58
C2A463D5091EFB2BE590FBFA5DBA5A821D5625CF
D21E46856FFB344ED06A461EFB554E5A490A9E3E
28FF882BAA02C646BCDDDFFACB75923490A3DCF7