COATHANGER (Remote Access Trojan) – Malware

Overview

COATHANGER is a remote access tool (RAT) specifically targeting FortiGate networking appliances. First detected in 2023, it has been used in targeted intrusions against military and government entities in the Netherlands and other regions. The malware was publicly disclosed in early 2024, with a high-confidence assessment linking it to a state-sponsored entity in the People’s Republic of China.

COATHANGER is deployed after gaining access to a FortiGate device, with in-the-wild observations tied to the exploitation of CVE-2022-42475. The name COATHANGER is derived from a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up.”

The COATHANGER malware provides access to compromised FortiGate devices after installation. The implant periodically connects back to a Command & Control server over SSL, establishing a BusyBox reverse shell.

Notably, the COATHANGER implant is persistent, recovering after every reboot by injecting a backup of itself into the process responsible for rebooting the system. Moreover, the infection survives firmware upgrades. Thus, even fully patched FortiGate devices may remain infected if they were compromised before the latest patch was applied.

Furthermore, COATHANGER is stealthy and difficult to detect using default FortiGate CLI commands. It hides itself by hooking most system calls that could reveal its presence, such as stat and opendir. It achieves this by replacing them for any process that is forced to load preload.so.

Targets

Military and government entities in the Netherlands and other regions.

How they operate

Components of the COATHANGER malware and how they interact.

libpe.so

libpe.so is a Linux shared object that extracts COATHANGER from a packed file located at /tmp/packfile, marking the first stage of COATHANGER. Initially, libpe.so checks if its own process starts with “ls” by examining /proc/[pid]/cmdline. If true, it writes its PID to /tmp/pepid and /sbin/init, creates the /dev/null character file, and sets up the install directory /data2/.bd.key/. It then extracts files from /tmp/packfile to /data2/.bd.key/ and /lib/, including newcli, httpsd, preload.so, authd, sh, and liblog.so. libpe.so writes “/lib/liblog.so” to /etc/ld.so.preload, kills any /bin/miglogd processes, and forces them to use liblog.so upon restart. It then writes “/data2/.bd.key/preload.so” to /etc/ld.so.preload, ensuring preload.so is used by new processes.

/bin/smartctl

smartctl is a wrapper for /bin/sh.

/data2/.bd.key/authd

authd injects a library into a running process and hooks an existing function with a new one. It hooks the reboot function in the PID 1 process with the new reboot function of preload.so.

/data2/.bd.key/httpsd

httpsd is the main executable of the malware. It can store a config, contact the C2 server, and provide a shell to the attacker. Started by newcli, it behaves differently based on the parameters given, either reading or creating a config, or copying and executing itself.

/data2/.bd.key/preload.so

preload.so handles COATHANGER’s persistence and stealth. It is loaded by libpe.so and ensures persistence by injecting itself into the reboot function of PID 1. It also hides COATHANGER files and processes by replacing system calls that could reveal its presence.

/data2/.bd.key/sh

sh is a busybox binary used by httpsd to provide functionality to the C2 server.

/lib/liblog.so

liblog.so is a shared object that replaces the read(2) function, disabling reading from /dev/fgtlog by processes that have this library loaded.

/tmp/packfile

packfile is a container file that holds all COATHANGER components. libpe.so unpacks this file to deploy COATHANGER.

Techniques Used (MITRE)

Application Layer Protocol: Web Protocols (T1071.001)

Command and Scripting Interpreter: Unix Shell (T1059.004)

Create or Modify System Process: Launch Daemon (T1543.004)

Deobfuscate/Decode Files or Information (T1140)

Encrypted Channel: Asymmetric Cryptography (T1573.002)

Exploit Public-Facing Application (T1190)

File and Directory Discovery (T1083)

File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (T1222.002)

Hide Artifacts: Hidden Files and Directories (T1574)

Dynamic Linker Hijacking (T1574.006)

Indicator Removal: File Deletion (T1070.004)

Non-Application Layer Protocol (T1095)

Obfuscated Files or Information (T1027)

Software Packing (T1027.002)

Process Discovery (T1057)

Process Injection (T1055)

Rootkit (T1014)

Significant Malware Campaigns

• After gaining access to the Dutch Defence network, the hackers deployed a remote access trojan (RAT) the intelligence agency named COATHANGER to conduct reconnaissance of the computer network and exfiltrate a list of user accounts from the Active Directory server. (June 2024)

References:

• Dutch intelligence says Chinese hacking campaign ‘more extensive’ than previously known
• COATHANGER
• Ongoing state cyber espionage campaign via vulnerable edge devices