Dual Malware Threats: UMBRELLA STAND and SHOE RACK Targeting FortiGate Firewalls

Published Date: June 24, 2025

Category: ShadowOpsIntel

UMBRELLA STAND and SHOE RACK are two advanced malware strains targeting FortiGate 100D series firewalls. UMBRELLA STAND is a multi-component malware enabling remote shell access, file manipulation, and network exfiltration, while SHOE RACK serves as a post-exploitation tool, using reverse SSH tunneling and DNS-over-HTTPS for secure communication and remote access.

Severity Level: High

Threat Details

1. Initial Compromise:
UMBRELLA STAND exploits vulnerabilities in FortiGate 100D series firewalls, gaining access and deploying various tools for persistence and control.
SHOE RACK, once deployed after the initial compromise, establishes a reverse SSH connection using a non-standard version of SSH, allowing attackers to bypass traditional network security measures.

2. Persistence Mechanism:
UMBRELLA STAND uses a combination of reboot hooks, ldpreload techniques, and file manipulation to ensure the malware survives reboots and remains undetected.
SHOE RACK ensures persistence by modifying SSH configurations and creating reverse SSH tunnels, allowing attackers to maintain remote access to the compromised device without detection.

3. C2 Communication:
UMBRELLA STAND communicates with its C2 server over fake TLS traffic on port 443, masking its true intent by mimicking legitimate encrypted communications.
SHOE RACK uses DNS-over-HTTPS (DOH) to resolve the C2 server’s IP, then establishes a TCP/TLS connection for SSH communication. It uses non-standard SSH channels, making detection difficult.

4. Data Exfiltration and Command Execution:
UMBRELLA STAND facilitates file exfiltration, remote shell commands, and manipulation of system settings.
SHOE RACK, via reverse SSH tunnels, allows the attacker to interact with the compromised device and tunnel traffic from other networked systems, enabling deep network pivoting

Tools Used

blghtd (networking binary for tasking and communication)
jvnlpe (watchdog for ensuring main binaries stay active)
cisz (initial setup tool for launching binaries)
libguic.so (injected library for process manipulation)
tcpdump, nbtscan, openLDAP (for sniffing traffic and managing network data)
dskz (process injection tool)
ldnet (GoLang-based reverse SSH client, UPX packed)

MITRE ATT&CK

TACTIC	TECHNIQUE	ID	DETAILS
Execution	Command and Scripting Interpreter: Unix Shell	T1059.004	UMBRELLA STAND contains functionality to receive and run Shell commands.
Defense Evasion	Deobfuscate/Decode Files or Information	T1140	UMBRELLA STAND contains AES-encrypted strings.
	Process Injection	T1055	UMBRELLA STAND uses tooling to perform process injection.
	Indicator Removal: File Deletion	T1070.004	UMBRELLA STAND binaries had been deleted from the device
	Hide Artifacts: Process Argument Spoofing	T1564.010	UMBRELLA STAND modifies it’s process name
	Hide Artifacts: Hidden Files and Directories	T1564.001	UMBRELLA STAND and associated tooling use hidden directories.
Persistence	Boot or Logon Autostart Execution: Kernel Modules and Extensions	T1547.006	UMBRELLA STAND has functionality to modify reboot to achieve persistence.
Persistence	Hijack Execution Flow: Dynamic Linker Hijacking	T1574.006	UMBRELLA STAND has functionality to load via ldpreload.
Discovery	Process Discovery	T1057	UMBRELLA STAND performs process discovery to check that its main process is still executing.
	Network Service Discovery	T1046	UMBRELLA STAND was in use with nbtscan which can list NetBIOS computer names.
	Network Sniffing	T1040	UMBRELLA STAND was in use with tcpdump which can be, and was, used to perform packet captures.
Command and control	Data Obfuscation: Protocol or Service Impersonation	T1001.003	UMBRELLA STAND uses fake TLS for communications with the C2 server

Recommendations

Ensure all FortiGate devices, including the 100D series, are regularly updated with the latest security patches provided by Fortinet.
Review and tighten control over reboot functionality in Fortinet devices to prevent unauthorized hooks like those used by UMBRELLA STAND.
Deploy file integrity monitoring (FIM) and rootkit detection tools to detect unauthorized file changes or the injection of malicious binaries (e.g., blghtd, cisz, libguic.so).
Set up network monitoring systems to detect anomalies in network traffic patterns, especially fake TLS communications or unusual beaconing on port 443.
Block the IOCs at their respective controls:
https://www.virustotal.com/gui/collection/3376b85cfd282c4b7cd8e89379cda57ea457ab95bc5130cac2ee1dccba3db9bf/iocs

Source:

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/umbrella-stand/ncsc-mar-umbrella_stand.pdf
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/shoe-rack-tipper/ncsc-tip-shoe_rack.pdf

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.