Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. COATHANGER

COATHANGER

COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims,COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China.COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The nameCOATHANGER is based on a unique string in the malware used to encrypt configuration files on disk:"She took his coat and hung it up".[1]

ID: S1105
Type: MALWARE
Platforms: Linux, Network Devices
Version: 1.1
Created: 07 February 2024
Last Modified: 15 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1071.001Application Layer Protocol:Web Protocols

COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control.[1]

EnterpriseT1059.004Command and Scripting Interpreter:Unix Shell

COATHANGER provides a BusyBox reverse shell for command and control.[1]

EnterpriseT1543.004Create or Modify System Process:Launch Daemon

COATHANGER will create a daemon for timed check-ins with command and control infrastructure.[1]

EnterpriseT1140Deobfuscate/Decode Files or Information

COATHANGER decodes configuration items from a bundled file for command and control activity.[1]

EnterpriseT1573.002Encrypted Channel:Asymmetric Cryptography

COATHANGER connects to command and control infrastructure using SSL.[1]

EnterpriseT1190Exploit Public-Facing Application

COATHANGER is installed following exploitation of a vulnerable FortiGate device.[1]

EnterpriseT1083File and Directory Discovery

COATHANGER will survey the contents of system files during installation.[1]

EnterpriseT1222.002File and Directory Permissions Modification:Linux and Mac File and Directory Permissions Modification

COATHANGER will set the GID ofhttpsd to 90 when infected.[1]

EnterpriseT1564.001Hide Artifacts:Hidden Files and Directories

COATHANGER creates and installs itself to a hidden installation directory.[1]

EnterpriseT1574Hijack Execution Flow

COATHANGER will remove and write malicious shared objects associated with legitimate system functions such asread(2).[1]

.006Dynamic Linker Hijacking

COATHANGER copies the malicious file/data2/.bd.key/preload.so to/lib/preload.so, then launches a child process that executes the malicious file/data2/.bd.key/authd as/bin/authd with the arguments/lib/preload.so reboot newreboot 1.[1] This injects the malicious preload.so file into the process with PID 1, and replaces its reboot function with the malicious newreboot function for persistence.

EnterpriseT1070.004Indicator Removal:File Deletion

COATHANGER removes files from victim environments following use in multiple instances.[1]

EnterpriseT1095Non-Application Layer Protocol

COATHANGER uses ICMP for transmitting configuration information to and from its command and control server.[1]

EnterpriseT1027Obfuscated Files or Information

COATHANGER can store obfuscated configuration information in the last 56 bytes of the file/date/.bd.key/preload.so.[1]

.002Software Packing

The first stage ofCOATHANGER is delivered as a packed file.[1]

EnterpriseT1057Process Discovery

COATHANGER will query running process information to determine subsequent program execution flow.[1]

EnterpriseT1055Process Injection

COATHANGER includes a binary labeledauthd that can inject a library into a running process and then hook an existing function within that process with a new function from that library.[1]

EnterpriseT1014Rootkit

COATHANGER hooks or replaces multiple legitimate processes and other functions on victim devices.[1]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp