What is Coathanger malware
COATHANGER is a sophisticated Remote Access Trojan (RAT) specifically designed to target FortiGate networking appliances. First identified in 2023, this malware has been linked to state-sponsored actors from the People’s Republic of China. The name “COATHANGER” is derived from a unique string in the malware’s code used to encrypt configuration files: “She took his coat and hung it up”.
How Coathanger malware infected your system
COATHANGER primarily exploits a known vulnerability in FortiGate devices, identified as CVE-2022-42475. This vulnerability allows attackers to gain unauthorized access to the device, which they then use to install the COATHANGER malware. The infection process can be broken down into several stages:
Exploitation of Vulnerability: The initial access is gained by exploiting CVE-2022-42475, a pre-authentication remote code execution vulnerability in FortiGate devices.
Installation: Once access is obtained, COATHANGER installs itself on the device. It creates hidden directories and modifies system processes to ensure persistence. The malware hooks system calls to conceal its presence and can survive reboots and firmware upgrades.
Command and Control (C2): COATHANGER establishes a command and control channel using HTTP GET requests to initialize a TLS tunnel. It also uses ICMP for transmitting configuration information and SSL for secure communication with its C2 servers.
Persistence and Stealth: The malware is designed to be highly stealthy and persistent. It hides its files and directories, modifies file permissions, and hooks into legitimate processes to avoid detection. It can also remove indicators of compromise (IOCs) to further evade security measures.
Remove Coathanger malware manually
Detecting COATHANGER can be challenging due to its stealthy nature. However, several indicators of compromise (IOCs) have been identified:
- Presence of specific files and directories such as
/data2/,/httpsd,/preload.so, and/authd. - Unusual file modification timestamps and non-standard hidden folders.
- Specific YARA rules and JA3 hashes provided by security advisories.
Removal Strategies
Removing COATHANGER from an infected FortiGate device is a complex process due to its persistence mechanisms. The following steps are recommended:
Isolation: Immediately isolate any suspected FortiGate devices to prevent further spread of the malware.
Forensic Analysis: Conduct a thorough forensic analysis of the device. This includes gathering and scrutinizing logs, creating forensic images, and using detection scripts such as coathanger.py to identify IOCs.
Complete Reformat and Reinstallation: The only currently effective method to completely remove COATHANGER is to reformat the device’s hard drive, followed by reinstalling and reconfiguring the FortiOS. This ensures that all traces of the malware are eradicated.
Apply Security Patches: Ensure that all FortiGate devices are updated with the latest firmware patches provided by Fortinet. This helps to close the vulnerability exploited by COATHANGER and prevent future infections.
Implement Security Best Practices: Follow security best practices such as disabling unnecessary services and ports, restricting internet access, and regularly monitoring logs for abnormal activity. Network segmentation can also limit the impact of any potential intrusions.
Aliases of Coathanger malware no information Conclusion
COATHANGER represents a significant threat to organizations using FortiGate devices due to its sophisticated infection mechanisms and persistence capabilities. By understanding how this malware operates and implementing robust detection and removal strategies, organizations can better protect their networks from such advanced cyber threats. Regular updates, thorough forensic analysis, and adherence to security best practices are crucial in mitigating the risks posed by COATHANGER and similar malware.
