A brief exposure of a server linked to KeyPlug malware revealed advanced tooling likely used in ongoing operations, including Fortinet exploit scripts, a webshell, and reconnaissance scripts aimed at a major Japanese company’s internal systems. Although the server was live for less than a day, it provides critical insights into the adversary’s operational tactics and targeting methods. Affected: KeyPlug malware, Fortinet infrastructure, major Japanese enterprises.
Keypoints :
- Fortinet firewall and VPN exploit scripts were exposed.
- A PHP-based webshell capable of executing AES and XOR-decrypted payloads was identified.
- Network reconnaissance scripts targeted login and internal portals of a major Japanese company.
- The server had a very short lifespan, being live for under 24 hours.
- Discovery included a malicious ELF sample exhibiting backdoor functionality traced to the RedGolf threat group.
- Reconnaissance efforts focused on Shiseido domains, revealing system vulnerabilities.
- Scripts utilized for fingerprinting, exploitation, and remote command execution were detailed.
MITRE Techniques :
- T reconnaissance (T1583) – Utilized scripts for targeting Fortinet appliances and identifying vulnerabilities.
- Exploitation for Client Execution (T1203) – Exploit scripts targeting Fortinet’s WebSocket endpoints.
- Command and Control (T1071) – Implemented via the PHP webshell and PowerShell reverse shell for remote communications.
- Credential Dumping (T1003) – Automated extraction of login credentials from Fortinet devices.
- Indicator Removal on Host (T1070) – The PHP webshell utilized encryption to hide command execution activities.
Indicator of Compromise :
- [IP Address] 154.31.217[.]200
- [IP Address] 45.77.34[.]88
- [SHA-256] 53a24e00ae671879ea3677a29ee1b10706aa5aa0dccd4697c3a94ee05df2ec45
- [Filename] bx.php
- [Filename] client.ps1
Full Story: https://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells