Malware Analysis Report: UMBRELLA STAND - Malware targeting Fortinet devices

SUMMARY :

UMBRELLA STAND is a sophisticated malware targeting FortiGate 100D series firewalls produced by Fortinet. It contains remote shell execution functionality, configurable beacon frequency, and AES-encrypted C2 communications. The malware uses fake TLS on port 443 to beacon to its C2 server and has the ability to run shell commands. It employs various defense evasion techniques such as hidden folders, generic filenames, and string encryption. UMBRELLA STAND also has persistence mechanisms through reboot hooking and ldpreload. Associated tooling includes BusyBox, nbtscan, tcpdump, and openLDAP. The malware demonstrates operational security considerations and shares similarities with previously reported COATHANGER malware.

OPENCTI LABELS :

c2,process injection,persistence,firewall,aes encryption,defense evasion,fortinet,shoe rack,remote shell,umbrella stand


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Malware Analysis Report: UMBRELLA STAND - Malware targeting Fortinet devices