COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, COATHANGER was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. COATHANGER is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name COATHANGER is based on a unique string in the malware used to encrypt configuration files on disk: "She took his coat and hung it up".[1]

ID: S1105
Platforms: Linux, Network
Version: 1.0
Created: 07 February 2024
Last Modified: 05 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control.[1]

Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

COATHANGER provides a BusyBox reverse shell for command and control.[1]

Enterprise T1543 .004 Create or Modify System Process: Launch Daemon

COATHANGER will create a daemon for timed check-ins with command and control infrastructure.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

COATHANGER decodes configuration items from a bundled file for command and control activity.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

COATHANGER connects to command and control infrastructure using SSL.[1]

Enterprise T1190 Exploit Public-Facing Application

COATHANGER is installed following exploitation of a vulnerable FortiGate device. [1]

Enterprise T1083 File and Directory Discovery

COATHANGER will survey the contents of system files during installation.[1]

Enterprise T1222 .002 File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification

COATHANGER will set the GID of httpsd to 90 when infected.[1]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

COATHANGER creates and installs itself to a hidden installation directory.[1]

Enterprise T1574 Hijack Execution Flow

COATHANGER will remove and write malicious shared objects associated with legitimate system functions such as read(2).[1]

.006 Dynamic Linker Hijacking

COATHANGER copies the malicious file /data2/.bd.key/ to /lib/, then launches a child process that executes the malicious file /data2/.bd.key/authd as /bin/authd with the arguments /lib/ reboot newreboot 1.[1] This injects the malicious file into the process with PID 1, and replaces its reboot function with the malicious newreboot function for persistence.

Enterprise T1070 .004 Indicator Removal: File Deletion

COATHANGER removes files from victim environments following use in multiple instances.[1]

Enterprise T1095 Non-Application Layer Protocol

COATHANGER uses ICMP for transmitting configuration information to and from its command and control server.[1]

Enterprise T1027 Obfuscated Files or Information

COATHANGER can store obfuscated configuration information in the last 56 bytes of the file /date/.bd.key/[1]

.002 Software Packing

The first stage of COATHANGER is delivered as a packed file.[1]

Enterprise T1057 Process Discovery

COATHANGER will query running process information to determine subsequent program execution flow.[1]

Enterprise T1055 Process Injection

COATHANGER includes a binary labeled authd that can inject a library into a running process and then hook an existing function within that process with a new function from that library.[1]

Enterprise T1014 Rootkit

COATHANGER hooks or replaces multiple legitimate processes and other functions on victim devices.[1]