Analysis Summary

UMBRELLA STAND is a sophisticated malware campaign identified by the Researcher, targeting internet-facing Fortinet FortiGate 100D firewalls. It represents a significant escalation in network infrastructure attacks, using security vulnerabilities to establish long-term persistent access. The malware communicates with its command and control (C2) servers over port 443 using fake TLS handshakes and AES encryption, blending malicious traffic with legitimate HTTPS traffic and leveraging hardcoded IPs like 89.44.194.32 to avoid detection.

According to the Researcher, the malware is modular in nature, with key components such as “blghtd” acting as the central communication binary and “jvnlpe” serving as a watchdog to ensure persistence. It deploys various publicly available utilities like BusyBox (v1.3.11), nbtscan, tcpdump, and openLDAP tools to facilitate network scanning, traffic capture, and directory access. UMBRELLA STAND’s execution environment supports both ash and BusyBox shells, allowing attackers to remotely run shell commands. It even includes safety mechanisms that terminate long-running processes after 900 seconds to avoid drawing administrative attention.

Persistence is achieved through a highly advanced dual-layer approach: first, by hooking and overwriting the Fortinet OS reboot functionality with malicious initialization code, and second, via the ld.so.preload technique, which forces system processes to load the malware’s “libguic.so” library. When specific processes like “usbmux” launch, the malware reinitializes itself using the “cisz” component. This ensures the malware survives reboots and restarts through redundant mechanisms that are tightly integrated with system-level operations.

To evade detection, UMBRELLA STAND manipulates Fortinet’s security features by modifying system binaries such as “/bin/sysctl,” redirecting them to hidden directories like “/data2/.ztls/” instead of the protected “/data/etc/.ftgd_trusted/”. This abuse of FortiOS’s directory-hiding features ensures that the malware's presence is effectively concealed from standard administrative tools. Coupled with encrypted strings and generic Linux-like filenames (e.g., “/bin/httpsd”), these techniques highlight the malware’s operational security sophistication and the serious risk it poses to enterprise network infrastructure.

Impact

• Gain Access
• Security Bypass

Remediation

• Immediately update Fortinet FortiGate firmware to the latest version that addresses known vulnerabilities, especially on 100D series devices.
• Audit all internet-facing FortiGate devices for unauthorized modifications, suspicious binaries (e.g., /bin/httpsd, blghtd, jvnlpe), and hidden directories such as /data2/.ztls/.
• Verify the integrity of system binaries like /bin/sysctl and check for unexpected changes to /etc/ld.so.preload and presence of malicious libraries such as libguic. so.
• Conduct deep packet inspection (DPI) on port 443 traffic to detect abnormal TLS behavior, such as missing handshakes or communication with hardcoded IPs (e.g., 89.44.194.32).
• Use file integrity monitoring (FIM) and behavioral analytics to detect unusual process names or renamed binaries imitating legitimate services.
• Disable unused services and ports, and implement strict access control to minimize attack surface.
• Continuously monitor system logs and network activity for beaconing behavior and abnormal command execution patterns.
• Apply strict egress filtering and network segmentation to prevent lateral movement and restrict C2 communication.
• Run endpoint detection and response (EDR) tools that can identify persistence techniques, memory injections, and encrypted malware activity.
• Engage in threat hunting using indicators of compromise (IOCs) published by NCSC and other security vendors related to UMBRELLA STAND.