Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

COATHANGER

COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: “She took his coat and hung it up”.(Citation: NCSC-NL COATHANGER Feb 2024)

ID: S1105

Type: MALWARE

Platforms: Windows

Created: 07 Feb 2024

Last Modified: 05 Apr 2024

Domain	ID		Name	Use
Techniques Used
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control.(Citation: NCSC-NL COATHANGER Feb 2024)
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	COATHANGER provides a BusyBox reverse shell for command and control.(Citation: NCSC-NL COATHANGER Feb 2024)
Enterprise	T1543	.004	Create or Modify System Process: Launch Daemon	COATHANGER will create a daemon for timed check-ins with command and control infrastructure.(Citation: NCSC-NL COATHANGER Feb 2024)
Enterprise	T1573	.002	Encrypted Channel: Asymmetric Cryptography	COATHANGER connects to command and control infrastructure using SSL.(Citation: NCSC-NL COATHANGER Feb 2024)
Enterprise	T1222	.002	File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification	COATHANGER will set the GID of `httpsd` to 90 when infected.(Citation: NCSC-NL COATHANGER Feb 2024)
Enterprise	T1564	.001	Hide Artifacts: Hidden Files and Directories	COATHANGER creates and installs itself to a hidden installation directory.(Citation: NCSC-NL COATHANGER Feb 2024)
Enterprise	T1574	.006	Hijack Execution Flow: Dynamic Linker Hijacking	COATHANGER copies the malicious file `/data2/.bd.key/preload.so` to `/lib/preload.so`, then launches a child process that executes the malicious file `/data2/.bd.key/authd` as `/bin/authd` with the arguments `/lib/preload.so reboot newreboot 1`.(Citation: NCSC-NL COATHANGER Feb 2024) This injects the malicious preload.so file into the process with PID 1, and replaces its reboot function with the malicious newreboot function for persistence.
Enterprise	T1070	.004	Indicator Removal: File Deletion	COATHANGER removes files from victim environments following use in multiple instances.(Citation: NCSC-NL COATHANGER Feb 2024)
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	The first stage of COATHANGER is delivered as a packed file.(Citation: NCSC-NL COATHANGER Feb 2024)

References

Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

COATHANGER

Techniques Used

References