NCSC Uncovers "UMBRELLA STAND" Malware: Stealthy Backdoor Targets Fortinet FortiGate Firewalls

A new malware campaign dubbed UMBRELLA STAND has been uncovered by the UK’s National Cyber Security Centre (NCSC), revealing an intricate framework targeting Fortinet FortiGate 100D firewalls through stealthy backdoor access and encrypted communications. The discovery raises serious concerns about ongoing cyber-espionage activity against critical network infrastructure.

According to the report, “UMBRELLA STAND is a collection of actor binaries likely to be deployed by exploiting security vulnerabilities in the target device… intended to facilitate long-term access into a given target network.” The malware is designed to operate within embedded devices, enabling attackers to execute shell commands, configure command-and-control (C2) servers, and manipulate system behavior — all while remaining largely undetected.

The malware consists of several interlinked components, including:

blghtd – Main networking and tasking binary
jvnlpe – Watchdog process ensuring persistence of blghtd
cisz – Initial setup and loader module
libguic.so – LD_PRELOAD shared object to load other components
reboot_hooker – Hooks into reboot process for persistence
a – AES-based file encryptor/decryptor
BusyBox, nbtscan, tcpdump – Public utilities aiding network reconnaissance and data exfiltration

NCSC notes that “UMBRELLA STAND has been observed deployed in conjunction with a set of publicly available tooling including: BusyBox, nbtscan, tcpdump and openLDAP.”

One of the malware’s standout features is its use of fake TLS beacons over port 443 to obscure communications with its C2 infrastructure. Despite mimicking legitimate TLS 1.0 headers (17 03 01), no real handshake takes place. This tactic is categorized under MITRE ATT&CK T1001.003 (Protocol Impersonation).

“Observing a server that responds with TLS data without performing a handshake may be indicative of suspicious activity,” warns the NCSC report.

The malware uses AES-CBC encryption with a fixed IV for its messages, and identifies infected hosts via a flipped CRC32 hash of the hostname — allowing the C2 to maintain session persistence.

UMBRELLA STAND supports extensive command and data exfiltration functionality:

Shell command execution (via BusyBox/ash)
File reads in 6000-byte chunks
Command chunking and async execution tracking using .ini files
Beacon interval reconfiguration and C2 address overrides

UMBRELLA STAND is engineered to survive reboots and evade administrative detection through:

Reboot hooking — executing loader binaries on system restart
ld.so.preload hijacking — leveraging dynamic linker injection
Hidden directories — such as /data2/.ztls/
Process masquerading — replacing process names with /bin/httpsd

“UMBRELLA STAND modifies its process name… Any difference in length between executable name and the fake string is filled with null bytes,” the report details.

Additionally, FortiOS’s native security features are repurposed to conceal the malware’s presence by abusing string replacement in sysctl binaries.

Key indicators of compromise (IOCs) include:

C2 IP: 89.44.194.32
Hidden path: /data2/.ztls/
AES encrypted stack strings
Masqueraded process names: /bin/httpsd
Injected tool: SYSV664564856 into PID 1 (init process)

The NCSC has also released several robust YARA rules to detect both encrypted and plain-text variants of the malware, ensuring defenders can catch signs of the threat even if obfuscation is applied.

Interestingly, NCSC notes “considerable similarity between the loading components observed in UMBRELLA STAND and COATHANGER.” Both strains utilize persistent hooking mechanisms and modular binary loaders, suggesting a shared toolchain or development lineage.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply