Coathanger

Coathanger is a stealthy and persistent malware, discovered by Dutch intelligence and security services, used by Chinese hackers to infiltrate and exploit FortiGate systems. The initial intrusion began with the exploitation of CVE-2022-42475, a vulnerability in the system. According to a report issued by the Dutch General Intelligence and Security Service earlier this year, Coathanger was used as a remote access trojan (RAT) to gain control over edge devices and establish a communication channel for selected victims. It hooks system calls that could potentially reveal its presence, making it difficult to detect. The malware's sophisticated design allows it to recover after every reboot by injecting a backup of itself into the process responsible for rebooting the system. Notably, the infection survives firmware upgrades, ensuring its continued operation even when system updates are implemented. This ability to persistently maintain its presence on the infected device underscores the advanced nature of Coathanger. Dutch officials warn that the stealthy nature of Coathanger likely allows hackers to maintain access to some victims' systems. The malware was found on the network of an unidentified Western diplomatic representative, among other victims, indicating a broad range of targets. The Chinese threat actors reportedly scanned for vulnerable edge devices at scale, gaining access opportunistically and introducing Coathanger as a communication channel for select victims. The Dutch defense department has taken action against the threat, but the targeted and persistent nature of Coathanger highlights the ongoing cybersecurity risks associated with state-backed cyber espionage.