Coathanger

Malware updated 3 months ago (2024-06-12T02:17:30.952Z)

Download STIX

Preview STIX

Coathanger is a stealthy and persistent malware, discovered by Dutch intelligence and security services, used by Chinese hackers to infiltrate and exploit FortiGate systems. The initial intrusion began with the exploitation of CVE-2022-42475, a vulnerability in the system. According to a report issued by the Dutch General Intelligence and Security Service earlier this year, Coathanger was used as a remote access trojan (RAT) to gain control over edge devices and establish a communication channel for selected victims. It hooks system calls that could potentially reveal its presence, making it difficult to detect. The malware's sophisticated design allows it to recover after every reboot by injecting a backup of itself into the process responsible for rebooting the system. Notably, the infection survives firmware upgrades, ensuring its continued operation even when system updates are implemented. This ability to persistently maintain its presence on the infected device underscores the advanced nature of Coathanger. Dutch officials warn that the stealthy nature of Coathanger likely allows hackers to maintain access to some victims' systems. The malware was found on the network of an unidentified Western diplomatic representative, among other victims, indicating a broad range of targets. The Chinese threat actors reportedly scanned for vulnerable edge devices at scale, gaining access opportunistically and introducing Coathanger as a communication channel for select victims. The Dutch defense department has taken action against the threat, but the targeted and persistent nature of Coathanger highlights the ongoing cybersecurity risks associated with state-backed cyber espionage.

Description last updated: 2024-06-12T02:15:41.782Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Fortigate

Chinese

Backdoor

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2022-42475	is related to	2	The critical zero-day vulnerability, CVE-2022-42475, was discovered in FortiGate firewalls during an incident investigation by the vendor. This flaw in software design or implementation allows an unauthenticated attacker to execute arbitrary code on affected systems. The vulnerability is present in

Source Document References

Information about the Coathanger Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	3 months ago	Chinese FortiGate Espionage Campaign Snares 20,000+ Victims
BankInfoSecurity	3 months ago	Dutch Agency Renews Warning of Chinese Fortigate Campaign
Securityaffairs	7 months ago	China-linked APT deployed malware in a network of the Dutch Ministry of Defence
CERT-EU	6 months ago	Chinese PC-maker Acemagic's machines infected with malware
InfoSecurity-magazine	7 months ago	Chinese Spies Hack Dutch Networks With Novel Coathanger Malware
BankInfoSecurity	7 months ago	Chinese Hackers Penetrated Unclassified Dutch Network