1. Home
  2. Software
  3. COATHANGER

COATHANGER

COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: "She took his coat and hung it up".[1]

ID: S1105
Type: MALWARE
Platforms: Linux, Network
Version: 1.0
Created: 07 February 2024
Last Modified: 05 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1014 Rootkit

COATHANGER hooks or replaces multiple legitimate processes and other functions on victim devices.[1]
Enterprise T1543 .004 创建或修改系统进程: Launch Daemon

COATHANGER will create a daemon for timed check-ins with command and control infrastructure.[1]
Enterprise T1190 利用公开应用程序漏洞

COATHANGER is installed following exploitation of a vulnerable FortiGate device. [1]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

COATHANGER connects to command and control infrastructure using SSL.[1]
Enterprise T1574 劫持执行流

COATHANGER will remove and write malicious shared objects associated with legitimate system functions such as read(2).[1]
.006 Dynamic Linker Hijacking

COATHANGER copies the malicious file /data2/.bd.key/preload.so to /lib/preload.so, then launches a child process that executes the malicious file /data2/.bd.key/authd as /bin/authd with the arguments /lib/preload.so reboot newreboot 1.[1] This injects the malicious preload.so file into the process with PID 1, and replaces its reboot function with the malicious newreboot function for persistence.
Enterprise T1140 反混淆/解码文件或信息

COATHANGER decodes configuration items from a bundled file for command and control activity.[1]
Enterprise T1059 .004 命令与脚本解释器: Unix Shell

COATHANGER provides a BusyBox reverse shell for command and control.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control.[1]
Enterprise T1083 文件和目录发现

COATHANGER will survey the contents of system files during installation.[1]
Enterprise T1222 .002 文件和目录权限修改: Linux and Mac File and Directory Permissions Modification

COATHANGER will set the GID of httpsd to 90 when infected.[1]
Enterprise T1027 混淆文件或信息

COATHANGER can store obfuscated configuration information in the last 56 bytes of the file /date/.bd.key/preload.so.[1]
.002 Software Packing

The first stage of COATHANGER is delivered as a packed file.[1]
Enterprise T1070 .004 移除指标: File Deletion

COATHANGER removes files from victim environments following use in multiple instances.[1]
Enterprise T1057 进程发现

COATHANGER will query running process information to determine subsequent program execution flow.[1]
Enterprise T1055 进程注入

COATHANGER includes a binary labeled authd that can inject a library into a running process and then hook an existing function within that process with a new function from that library.[1]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

COATHANGER creates and installs itself to a hidden installation directory.[1]
Enterprise T1095 非应用层协议

COATHANGER uses ICMP for transmitting configuration information to and from its command and control server.[1]

References

  1. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.