China Caught Dropping RAT Designed for FortiGate Devices

Dutch military intelligence warns that new malware, called "Coathanger," was found in multiple FortiGate devices during an incident response, and that Chinese-state actors are using the persistent RAT for espionage.

Fortinet office building signage
Source: John Crowe via Alamy Stock Photo

The Netherlands' Military Intelligence and Security Service (MIVD) is warning that it has uncovered a new malware strain, persistent and difficult to detect, being deployed by the Chinese government against an existing FortiGate flaw, and that it's part of a wider political espionage campaign.

The new remote access Trojan (RAT), called "Coathanger," was used to spy on the Dutch Ministry and Defense (MOD) in 2023, according to a new advisory. During the response to the intrusion, Dutch intelligence service officials discovered the malware was being delivered through a known FortiGate flaw (CVE-2022-42475).

Fortinet's FortiGate devices provide network firewall protections.

The report stresses that Coathanger doesn't take advantage of a new zero-day exploit and is deployed as second-stage malware. However, the advisory added, "Coathanger could be used along with an any future FortiGate device vulnerability."

Dutch officials explained, "The Coathanger malware is stealthy and persistent. It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades."

Edge Devices in Cyberattack Crosshairs

The Coathanger malware is part of a wider campaign being waged by Chinese state-sponsored threat actors against Internet-facing edge devices including firewalls, VPN servers, and email servers, according to Dutch authorities.

"Chinese threat actors are known to perform wide and opportunistic scanning campaigns for both published (nday) as well as unpublished (0-day) software vulnerabilities on internet-facing (edge) devices," the advisory cautioned. "They do so with a high operational tempo, sometimes abusing vulnerabilities on the day they are published."

Fortinet devices are a popular cyberattack target, so businesses should stay on top of patches: Just this week, Fortinet reported two max-severity bugs in its FortiSIEM solution required immediate patching.

Recommendations from intelligence analysts in the Netherlands to keep Coathanger at bay also include performing a regular risk analysis on edge devices, limiting Internet access on edge devices, scheduled logging analysis, and replacing any hardware no longer supported.

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights