| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.004 |
Unix Shell |
COATHANGER provides a BusyBox reverse shell for command and control. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.004 |
Launch Daemon |
COATHANGER will create a daemon for timed check-ins with command and control infrastructure. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
COATHANGER decodes configuration items from a bundled file for command and control activity. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.002 |
Asymmetric Cryptography |
COATHANGER connects to command and control infrastructure using SSL. |
| enterprise |
T1190 |
Exploit Public-Facing Application |
COATHANGER is installed following exploitation of a vulnerable FortiGate device. |
| enterprise |
T1083 |
File and Directory Discovery |
COATHANGER will survey the contents of system files during installation. |
| enterprise |
T1222 |
File and Directory Permissions Modification |
- |
| enterprise |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
COATHANGER will set the GID of httpsd to 90 when infected. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.001 |
Hidden Files and Directories |
COATHANGER creates and installs itself to a hidden installation directory. |
| enterprise |
T1574 |
Hijack Execution Flow |
COATHANGER will remove and write malicious shared objects associated with legitimate system functions such as read(2). |
| enterprise |
T1574.006 |
Dynamic Linker Hijacking |
COATHANGER copies the malicious file /data2/.bd.key/preload.so to /lib/preload.so, then launches a child process that executes the malicious file /data2/.bd.key/authd as /bin/authd with the arguments /lib/preload.so reboot newreboot 1. This injects the malicious preload.so file into the process with PID 1, and replaces its reboot function with the malicious newreboot function for persistence. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
COATHANGER removes files from victim environments following use in multiple instances. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
COATHANGER uses ICMP for transmitting configuration information to and from its command and control server. |
| enterprise |
T1027 |
Obfuscated Files or Information |
COATHANGER can store obfuscated configuration information in the last 56 bytes of the file /date/.bd.key/preload.so. |
| enterprise |
T1027.002 |
Software Packing |
The first stage of COATHANGER is delivered as a packed file. |
| enterprise |
T1057 |
Process Discovery |
COATHANGER will query running process information to determine subsequent program execution flow. |
| enterprise |
T1055 |
Process Injection |
COATHANGER includes a binary labeled authd that can inject a library into a running process and then hook an existing function within that process with a new function from that library. |
| enterprise |
T1014 |
Rootkit |
COATHANGER hooks or replaces multiple legitimate processes and other functions on victim devices. |