UMBRELLA STAND and SHOE RACK are two advanced malware strains targeting FortiGate 100D series firewalls. UMBRELLA STAND is a multi-component malware enabling remote shell access, file manipulation, and network exfiltration, while SHOE RACK serves as a post-exploitation tool, using reverse SSH tunneling and DNS-over-HTTPS for secure communication and remote access.
Severity Level: High
Threat Details
1. Initial Compromise:
UMBRELLA STAND exploits vulnerabilities in FortiGate 100D series firewalls, gaining access and deploying various tools for persistence and control.
SHOE RACK, once deployed after the initial compromise, establishes a reverse SSH connection using a non-standard version of SSH, allowing attackers to bypass traditional network security measures.
2. Persistence Mechanism:
UMBRELLA STAND uses a combination of reboot hooks, ldpreload techniques, and file manipulation to ensure the malware survives reboots and remains undetected.
SHOE RACK ensures persistence by modifying SSH configurations and creating reverse SSH tunnels, allowing attackers to maintain remote access to the compromised device without detection.
3. C2 Communication:
UMBRELLA STAND communicates with its C2 server over fake TLS traffic on port 443, masking its true intent by mimicking legitimate encrypted communications.
SHOE RACK uses DNS-over-HTTPS (DOH) to resolve the C2 server’s IP, then establishes a TCP/TLS connection for SSH communication. It uses non-standard SSH channels, making detection difficult.
4. Data Exfiltration and Command Execution:
UMBRELLA STAND facilitates file exfiltration, remote shell commands, and manipulation of system settings.
SHOE RACK, via reverse SSH tunnels, allows the attacker to interact with the compromised device and tunnel traffic from other networked systems, enabling deep network pivoting
Tools Used
- blghtd (networking binary for tasking and communication)
- jvnlpe (watchdog for ensuring main binaries stay active)
- cisz (initial setup tool for launching binaries)
- libguic.so (injected library for process manipulation)
- tcpdump, nbtscan, openLDAP (for sniffing traffic and managing network data)
- dskz (process injection tool)
- ldnet (GoLang-based reverse SSH client, UPX packed)
MITRE ATT&CK
| TACTIC | TECHNIQUE | ID | DETAILS |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 | UMBRELLA STAND contains functionality to receive and run Shell commands. |
| Defense Evasion | Deobfuscate/Decode Files or Information | T1140 | UMBRELLA STAND contains AES-encrypted strings. |
| Process Injection | T1055 | UMBRELLA STAND uses tooling to perform process injection. | |
| Indicator Removal: File Deletion | T1070.004 | UMBRELLA STAND binaries had been deleted from the device | |
| Hide Artifacts: Process Argument Spoofing | T1564.010 | UMBRELLA STAND modifies it’s process name | |
| Hide Artifacts: Hidden Files and Directories | T1564.001 | UMBRELLA STAND and associated tooling use hidden directories. | |
| Persistence | Boot or Logon Autostart Execution: Kernel Modules and Extensions | T1547.006 | UMBRELLA STAND has functionality to modify reboot to achieve persistence. |
| Hijack Execution Flow: Dynamic Linker Hijacking | T1574.006 | UMBRELLA STAND has functionality to load via ldpreload. | |
| Discovery | Process Discovery | T1057 | UMBRELLA STAND performs process discovery to check that its main process is still executing. |
| Network Service Discovery | T1046 | UMBRELLA STAND was in use with nbtscan which can list NetBIOS computer names. | |
| Network Sniffing | T1040 | UMBRELLA STAND was in use with tcpdump which can be, and was, used to perform packet captures. | |
| Command and control | Data Obfuscation: Protocol or Service Impersonation | T1001.003 | UMBRELLA STAND uses fake TLS for communications with the C2 server |
Recommendations
- Ensure all FortiGate devices, including the 100D series, are regularly updated with the latest security patches provided by Fortinet.
- Review and tighten control over reboot functionality in Fortinet devices to prevent unauthorized hooks like those used by UMBRELLA STAND.
- Deploy file integrity monitoring (FIM) and rootkit detection tools to detect unauthorized file changes or the injection of malicious binaries (e.g., blghtd, cisz, libguic.so).
- Set up network monitoring systems to detect anomalies in network traffic patterns, especially fake TLS communications or unusual beaconing on port 443.
- Block the IOCs at their respective controls:
https://www.virustotal.com/gui/collection/3376b85cfd282c4b7cd8e89379cda57ea457ab95bc5130cac2ee1dccba3db9bf/iocs
Source:
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/umbrella-stand/ncsc-mar-umbrella_stand.pdf
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/shoe-rack-tipper/ncsc-tip-shoe_rack.pdf
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.