Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation | Mandiant

MITRE Techniques

• [T1565.001] Stored Data Manipulation – Corrupted boot files to bypass verification and alter system behavior. (‘Disabled OpenSSL 1.1.0 digital signature verification of system files through targeted corruption of boot files’)
• [T1027] Obfuscated Files or Information – Encrypted cookie and RC4 usage to hide commands and payloads. (‘FGMGTOKEN cookie is encrypted with an RSA key hardcoded into views.py and contained an RC4 key’)
• [T1070] Indicator Removal on Host – Actor cleared logs and edited files to remove trace of connections. (‘echo > /var/log/django.log; echo > /var/log/apache2/error_log; sed -i ‘//d’ /var/log/apache2/*log’)
• [T1070.003] Clear Command History – Evidence of HISTFILE manipulation and clearing of shell history. (‘HISTFILE=’ shown in YARA and anti-forensics commands to clear logs’)
• [T1070.004] File Deletion – Scripts removed backdoor binaries after launch to hamper discovery. (‘rm -rf /bin/klogd … rm -rf /bin/support’ in /bin/support’)
• [T1078] Valid Accounts – Maintained Super Administrator privileges on FortiGate devices for operations. (‘Maintained persistent access with Super Administrator privileges within FortiGate Firewalls’)
• [T1140] Deobfuscate/Decode Files or Information – XOR-based decoding used to extract C2 IP/port from activation packets. (‘XOR encoded C2 IP’ / ‘XOR decoded a 9-byte magic activation string’)
• [T1202] Indirect Command Execution – Used FortiManager scripts and existing management functions to run commands on FortiGate devices. (‘User Fortimanager_Access via fgfmd upload and run script: <script_id> — OK’)
• [T1218.011] Rundll32 – Use of native system utilities to invoke code (article lists native binary manipulation to execute modified binaries). (‘diagnose hardware lscpi’ executed which then invoked modified /bin/sysctl via symlink)
• [T1222] File and Directory Permissions Modification – Replaced and symlinked system binaries to alter execution flow. (‘/bin/lspci -> /bin/sysctl’ symlink observed on compromised FortiGate)
• [T1497] Virtualization/Sandbox Evasion – Deployed to ESXi hypervisors and used hypervisor persistence to evade host-based defenses. (‘installation of malicious vSphere Installation Bundles which contained VIRTUALPITA and VIRTUALPIE backdoors’)
• [T1497.001] System Checks – Modified boot-time verification logic to skip signature checks. (‘changed a conditional jump instruction to an unconditional jump instruction which always skipped digital signature verification checks’)
• [T1620] Reflective Code Loading – Modified runtime files and appended code to legitimate framework files (Python views.py) to execute injected code in-process. (‘appended python backdoor code to a legitimate web framework file’)
• [T1552] Unsecured Credentials – Use of encrypted cookies and stored tokens to carry decryption keys and commands. (‘FGMGTOKEN … contained an RC4 key that decrypted the commands received through the DEVICEID cookie’)
• [T1555.005] Password Managers – Access and use of stored credentials or tokens within system management flows (cookies/keys used to authenticate backdoor commands). (‘FGMGTOKEN cookie is encrypted … and contained an RC4 key’)
• [T1016] System Network Configuration Discovery – Discovery of network addresses and use of FortiManager/FortiAnalyzer logs to identify routing and management IPs. (‘Mandiant suspected the FortiGate and FortiManager devices were compromised due to the connections to VIRTUALPITA from the Fortinet management IP addresses’)
• [T1033] System Owner/User Discovery – Enumeration of accounts and ownership used during compromise and lateral movement. (‘Account Discovery’ techniques observed in investigation)
• [T1057] Process Discovery – Actor inspected and replaced system binaries and shell functionality to hide or control processes. (‘file listing entries … contained similar timestamps that did not align with other legitimate binaries’)
• [T1082] System Information Discovery – Collected system file metadata and OS details to guide implant placement. (‘Fortinet identified a trojanized firmware that contained a persistent backdoor’)
• [T1083] File and Directory Discovery – Searched filesystem for binaries to replace or symlink (e.g., /bin/lspci, /bin/sysctl). (‘Mandiant reviewed file listings from multiple FortiGate firewalls in search of modified versions of /bin/lspci’)
• [T1087] Account Discovery – Enumerated accounts (Super Administrator) and management channels to maintain access. (‘Maintained persistent access with Super Administrator privileges’)
• [T1518] Software Discovery – Identified software versions and targets (FortiGate 6.2.7, FortiManager/FortiAnalyzer 6.4.7) for exploitation and persistence.) (‘FortiGate: 6.2.7; FortiManager 6.4.7; FortiAnalyzer 6.4.7’)
• [T1074.001] Local Data Staging – Staged file uploads and backdoor files on devices prior to execution. (‘uploaded .ico files … allowed the threat actor to overwrite legitimate files in a normally restricted system directory’)
• [T1560] Archive Collected Data – Use of utilities to collect and package data from hosts (archiving techniques referenced in collection lifecycle). (‘Archive Collected Data’ listed in MITRE mappings)
• [T1560.001] Archive via Utility – Use of system utilities to archive collected data for exfiltration (listed in collection techniques).
• [T1059] Command and Scripting Interpreter – Execution of scripts and commands via Python, shell, and management scripts to perform actions. (‘appended python backdoor code’ and ‘execute the command line stored in “key”‘)
• [T1059.001] PowerShell – Use of native command interpreters where applicable for command execution (listed in execution section).
• [T1059.003] Windows Command Shell – Use of shell interpreters where applicable for remote command execution (listed in execution section).
• [T1059.004] Unix Shell – Used busybox/Unix shells via CASTLETAP to spawn interactive shells on devices. (‘Spawn busybox based command shell, otherwise fallback to a normal command shell.’)
• [T1059.006] Python – Backdoor implemented as Python code within FortiManager views.py (THINCRUST). (‘appended python backdoor code to a legitimate web framework file’)
• [T1129] Shared Modules – Use of kernel module/rootkit techniques (REPTILE variant of LKM) to run code in kernel context. (‘REPTILE … variant of a publicly available Linux kernel module (LKM) rootkit’)
• [T1095] Non-Application Layer Protocol – Command activation via ICMP and raw layer 2 packets used for backdoor activation. (‘listened for a specialized ICMP packet for activation’ and ‘created a packet socket to receive OSI layer 2 packets’)
• [T1102.001] Dead Drop Resolver – Use of hidden/non-standard channels and encoded payloads for C2 resolution (dead-drop-like behavior via encoded ICMP/packets). (‘Parse C2 information from ICMP payload and connect to it over SSL.’)
• [T1105] Ingress Tool Transfer – Transferred malicious files/VIBs (VIRTUALPITA/VIRTUALPIE) to ESXi hosts to establish persistence. (‘installation of malicious vSphere Installation Bundles which contained VIRTUALPITA and VIRTUALPIE backdoors’)
• [T1571] Non-Standard Port – Use of non-standard or redirected ports (TCP 541 redirection) to reach management services. (‘redirect TCP port 541 traffic to another specified port’ via iptables’)
• [T1573.001] Symmetric Cryptography – Use of XOR/RC4 symmetric schemes to encrypt/decrypt C2 payloads and commands. (‘XOR encoded C2 IP’ and ‘RC4 encrypted’ payloads)
• [T1021.004] SSH – Lateral movement via SSH from Fortinet devices to ESXi/vCenter servers. (‘Mandiant observed SSH connections from the Fortinet devices to the ESXi servers’)