Malware Analysis Report: UMBRELLA STAND - Malware targeting Fortinet devices

Description

UMBRELLA STAND is a sophisticated malware targeting FortiGate 100D series firewalls produced by Fortinet. It contains remote shell execution functionality, configurable beacon frequency, and AES-encrypted C2 communications. The malware uses fake TLS on port 443 to beacon to its C2 server and has the ability to run shell commands. It employs various defense evasion techniques such as hidden folders, generic filenames, and string encryption. UMBRELLA STAND also has persistence mechanisms through reboot hooking and ldpreload. Associated tooling includes BusyBox, nbtscan, tcpdump, and openLDAP. The malware demonstrates operational security considerations and shares similarities with previously reported COATHANGER malware.