www.mandiant.com
Open in
urlscan Pro
2606:4700:300b::a29f:f07d
Public Scan
URL:
https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw
Submission: On February 19 via api from DE — Scanned from DE
Submission: On February 19 via api from DE — Scanned from DE
Form analysis 2 forms found in the DOM
GET /search
<form action="/search" method="get">
<div class="js-form-item form-item js-form-type-textfield form-item-search js-form-item-search"> <label class="visually-hidden" for="edit-search">Search</label> <input data-drupal-selector="edit-search" type="text" id="edit-search" name="search"
value="" size="30" maxlength="128" class="form-text" placeholder="Search"></div>
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions"> <button data-drupal-selector="edit-submit-acquia-search" type="submit" id="edit-submit-acquia-search"
class="button js-form-submit form-submit"> <span class="visually-hidden">Submit search form</span> <svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
<path d="M7.22574 13.9446C10.6622 13.9446 13.4481 11.1588 13.4481 7.72232C13.4481 4.28583 10.6622 1.5 7.22574 1.5C3.78925 1.5 1.00342 4.28583 1.00342 7.72232C1.00342 11.1588 3.78925 13.9446 7.22574 13.9446Z" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<path d="M15.0001 15.4996L11.6167 12.1162" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
</svg> </button></div>
</form>GET /search
<form action="/search" method="get">
<div class="js-form-item form-item js-form-type-textfield form-item-search js-form-item-search"> <label class="visually-hidden" for="edit-search">Search</label> <input data-drupal-selector="edit-search" type="text" id="edit-search" name="search"
value="" size="30" maxlength="128" class="form-text" placeholder="Search"></div>
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions"> <button data-drupal-selector="edit-submit-acquia-search" type="submit" id="edit-submit-acquia-search"
class="button js-form-submit form-submit"> <span class="visually-hidden">Submit search form</span> <svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
<path d="M7.22574 13.9446C10.6622 13.9446 13.4481 11.1588 13.4481 7.72232C13.4481 4.28583 10.6622 1.5 7.22574 1.5C3.78925 1.5 1.00342 4.28583 1.00342 7.72232C1.00342 11.1588 3.78925 13.9446 7.22574 13.9446Z" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<path d="M15.0001 15.4996L11.6167 12.1162" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
</svg> </button></div>
</form>Text Content
Skip to main content
Mandiant is now part of Google Cloud. Learn More.
* Platform
* Solutions
* Intelligence
* Services
* Resources
* Company
MANDIANT ADVANTAGE
Explore our multi-vendor XDR platform, delivering Mandiant products and
integrating with a range of leading security operations technology.
Explore the platformarrow_forward
Start with free account
* Automated Defense
Rapid event investigation and remediation
* Attack Surface Management Free Subscription
Map your external environment
* Breach Analytics for Chronicle
Know what we know when we know it
* Security Validation
Validate controls are working properly
* Threat Intelligence Free Subscription
Access latest intel from the frontlines
* Ransomware Defense Validation
Map your external environment
* Digital Threat Monitoring
Visibility into deep, dark, and open web
* Managed Defense
Managed detection and response
MANDIANT SOLUTIONS
Solve your toughest cyber security challenges with combinations of products and
services.
* Featured solutionsarrow_forward
* By use casearrow_forward
* By industryarrow_forward
* Featured solutions
* Government New!
Protect national services and agencies
* Ransomware
Increase resilience against multifaceted extortion
* Digital Risk Protection
Prioritize and focus on threats that matter
* Relentless solutions
* Who is targeting us
Embed cyber threat intelligence
* How do attackers see us
Assess attack surface visibility
* Are we prepared
Anticipate threats for defense posture
* Are we compromised
Evaluate current state of cyber defenses
* Use Case
* Ransomware
Increase resilience against multifaceted extortion
* Cyber Risk Management
Advance your business approach to cyber security
* Digital Risk Protection
Prioritize and focus on threats that matter
* Industrial Controls
Strengthen OT and ICS security
* Insider Threats
Uncover and manage internal vulnerabilities
* Skills Gap
Close gaps with training and access to expertise
* Private Industry
* Finance New!
Extend your security posture and operationalize resilience
* Manufacturing New!
Protect against cyber security threats to maintain business continuity
* Government
* Election Security
Focus on Election Infrastructure Protection
* Government New!
Protect natural services and agencies
MANDIANT SERVICES
Mitigate threats, reduce risk, and get back to business with the help of leading
experts.
Learn morearrow_forward
View all services (47)arrow_forward
Schedule a consultation
* Featured categories
* Cyber Security Transformation
Establish and activate cyber defenses
* Incident Response
Tackle breaches confidently
* Strategic Readiness
Increase resilience to risk
* Technical Assurance
Test your security program
* Expertise On Demand
Access to Mandiant Experts
* Training
* Browse courses
Browse on-demand and live training
* Mandiant Academy
Train your teams to protect effectively
CYBER THREAT INTELLIGENCE
Mandiant specializes in cyber threat intelligence, offering products, services,
and more to support our mission to defend against cyber crime.
Intelligence resourcesarrow_forward
* Products
* Threat Intelligence Free Subscription
Access latest intel from the frontlines
* Digital Threat Monitoring
Visibility into deep, dark, and open web
* Services
* Intelligence Capability Development
Build a comprehensive threat intelligence program
* Intelligence Training
Develop practical application skills
* Executive Briefings
Get live, interactive briefings from the frontlines
* Advanced Intelligence Access
Hire a dedicated analyst for your needs
RESOURCE CENTER
Get the latest insights from cyber security experts at the frontlines of threat
intelligence and incident response
M-Trends 2022 reportarrow_forward
mWISEarrow_forward
View all resourcesarrow_forward
* Resource types
* Mandiant Blog
Expert perspectives and industry news
* Podcasts
Interviews, hot topics, and more
* Customer Stories
Case studies and customer testimonials
* Reports
Research from the frontlines
* Webinars
Livestreams and pre-recorded speaker events
* Insights
Cyber security concepts, methods, and more
* Events
Upcoming conferences and collaboration
* Infographics
Visualization of security research and process
* Datasheets
Information on Mandiant offerings and more
* eBooks
High-impact cyber security guides
* White Papers
Cyber security insights and technical expertise
COMPANY
Learn more about us and our mission to help organizations defend against cyber
crime.
Learn morearrow_forward
Contact us
* Careers
Life at Mandiant and open roles
* Noteholder and Preferred Shareholder Documents
* Media Center
Press releases and news mentions
* Partners
Ecosystem and resources
* Elevate
Empowering women in cyber security
* Mandiant Gives Back
Our commitment to a better future
* Create a free account
* Sign in to Advantage
en expand_more
* English
* Français
* Deutsch
* Italiano
* 日本
* 한국어
* Español
Start for Free
Search
Submit search form
Search
Submit search form
* Platform
* Mandiant Advantage Overview
* Automated Defense
* Breach Analytics for Chronicle
* Security Validation
* Ransomware Defense Validation
* Attack Surface Management
* Threat Intelligence
* Digital Threat Monitoring
* Managed Defense
* Solutions
* Government
* Ransomware
* Who is targeting us
* How do attackers see us
* Are we prepared
* Are we compromised
* Cyber Risk Management
* Digital Risk Protection
* OT/ICS Security
* Insider Threats
* Cyber Security Skills Gap
* Financial Services Cyber Security
* Manufacturing
* Election Security
* Intelligence
* Services
* Services Overview
* Incident Response
* Strategic Readiness
* Cyber Security Transformation
* Technical Assurance
* View all Services (48)
* Mandiant Academy
* Find a Course
* Expertise On Demand
* Resources
* Resources
* Mandiant Blogs
* Customer Stories
* Webinars
* Events
* Podcasts
* Reports
* Insights
* Datasheets
* Infographics
* White Papers
* eBooks
* Company
* About Mandiant
* Careers
* Media Center
* Partners
* Elevate
* Mandiant Gives Back
* Noteholder and Preferred Shareholder Documents
* Mobile Footer Section
* See what’s new at Mandiant
* Get started
* Incident Response Help
* Contact Sales
* Support
* Sign In
* Create a Free Mandiant Advantage Account
TOP
* Incident Response
* Contact sales
* Support
* Advantage Free Trial
* Blog
* Support
* Contact us
* report_problemIncident Response Assistance
BREADCRUMB
1. Home
2. Resources
3. Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability
(CVE-2022-42475)
Blog
SUSPECTED CHINESE THREAT ACTORS EXPLOITING FORTIOS VULNERABILITY
(CVE-2022-42475)
Scott Henderson, Cristiana Kittner, Sarah Hawley, Mark Lechtik
Jan 19, 2023
17 min read
Vulnerabilities
Zero Day Threats
China
Malware
Mandiant is tracking a suspected China-nexus campaign believed to have exploited
a recently announced vulnerability in Fortinet's FortiOS SSL-VPN,
CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring
as early as October 2022 and identified targets include a European government
entity and a managed service provider located in Africa.
Mandiant identified a new malware we are tracking as “BOLDMOVE” as part of our
investigation. We have uncovered a Windows variant of BOLDMOVE and a Linux
variant, which is specifically designed to run on FortiGate Firewalls. We
believe that this is the latest in a series of Chinese cyber espionage
operations that have targeted internet-facing devices and we anticipate this
tactic will continue to be the intrusion vector of choice for well-resourced
Chinese groups.
On December 12, 2022, Fortinet released a PSIRT Advisory and notified customers
regarding CVE-2022-42475
* Fortinet issued instructions on how to search for Indicators of Compromise
* Fortinet provided additional details including IoCs from subsequent research.
CHINA CONTINUES TO FOCUS ON NETWORK DEVICES
This incident continues China’s pattern of exploiting internet facing devices,
specifically those used for managed security purposes (e.g., firewalls, IPS\IDS
appliances etc.). These devices are attractive targets for multiple reasons.
First, they are accessible to the internet, and if the attacker has an exploit,
they can gain access to a network without requiring any victim interaction. This
allows the attacker to control the timing of the operation and can decrease the
chances of detection.
The exploits required to compromise these devices can be resource intensive to
develop, and thus they are most often used in operations against hardened and
high priority targets; often in the government and defense sectors. With
BOLDMOVE, the attackers not only developed an exploit, but malware that shows an
in-depth understanding of systems, services, logging, and undocumented
proprietary formats. Malware running on an internet-connected device can enable
lateral movement further into a network and enable command and control (C2) by
tunneling commands in and data out of a network.
It is important to note that many of these types of devices do not offer a
simple mechanism to view which processes are running on the device’s operating
systems. These devices are typically intended to inspect network traffic,
searching for anomalies as well as signs of malicious behavior, but are often
not inherently protected themselves.
* Managed devices may provide only a limited admin interface that allows
configuration and viewing/collection of logs
* Managed devices may not allow for additional security products, such as
Endpoint Detection and Response (EDR) to be installed
* Access to core security features may be limited to the device manufacturer
Previous examples of public reporting by Mandiant and others on operations
targeting these devices are here:
* Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass
Techniques and Pulse Secure Zero-Day
* NSA | APT5: Citrix ADC Threat Hunting Guidance
* Suspected Chinese Activity Exploiting Zero-Day Vulnerability, Leverages New
Malware Designed for Internet-Facing Devices
* Zero-Days Exploit in SonicWall Email Security Lead to Enterprise Compromise
BOLDMOVE BACKDOOR
In December 2022, Mandiant identified the BOLDMOVE backdoor associated with the
exploitation of CVE-2022-49475 FortiOS vulnerability. BOLDMOVE is written in C
and has both Windows and Linux variants, the latter of which is intended to run
(at least in part) on Fortinet devices as it reads data from a file proprietary
to Fortinet.
Mandiant has not directly observed exploitation of the vulnerability; however,
samples of the BOLDMOVE Linux variant have a hard coded C2 IP address that were
listed by Fortinet as being involved in the exploitation, suggesting
CVE-2022-49475 was exploited to deliver BOLDMOVE. In addition to the Linux
variant, Mandiant also revealed a Windows version. Windows versions of BOLDMOVE
appear to have been compiled as early as 2021. However, Mandiant has not seen
this malware in use in the wild so it is uncertain how it was used. In-depth
analysis of the malware is provided later in this post.
ATTRIBUTION
We assess with low confidence that this operation has a nexus to the People’s
Republic of China. China-nexus clusters have historically shown significant
interest in targeting networking devices and manipulating the operating system
or underlying software which supports these devices. In addition, the
geographical and sector targeting is consistent with previous Chinese
operations.
* Limited technical indicators point to the development of the malware as
having been compiled on a machine in the UTC+8 time zone, which includes
Australia, China, Russia, Singapore, and other Eastern Asian countries, and
on a machine configured to display Chinese characters.
* A host survey buffer which is used by the Windows variant of BOLDMOVE in
order to provide the C2 with information on the infected host starts with the
string “gbk”. The comparable survey buffer of the Linux variant starts with
“utf-8”, which indicates that this field designates character encoding. If we
are to consider “gbk” in this context, then this is an extension of a Chinese
character set
* The exploitation of zero-day vulnerabilities in networking devices, followed
by the installation of custom implants, is consistent with previous Chinese
exploitation of networking devices.
Mandiant has previously reported on significant campaigns impacting networking
devices, likely revealing a long-standing interest by China to embed cyber
campaigns in the overarching telecommunications and networking architecture used
by organizations worldwide:
* In April 2021, Mandiant reported extensively on the exploitation of Pulse
Secure. Mandiant recently responded to multiple security incidents involving
compromises of Pulse Secure VPN appliances.
* In March 2021, Mandiant identified three zero-day vulnerabilities in
SonicWall’s Email Security (ES) product that were being exploited in the
wild. Mandiant’s investigations informed us that the adversary leveraged
these vulnerabilities, with intimate knowledge of the SonicWall application,
to install a backdoor, access files and emails, and move laterally into the
victim organization’s network.
OUTLOOK
Mandiant has produced in depth reporting on the growing number of managed,
internet-facing and connected devices targeted by Chinese threat actors. This
latest campaign may be a continuation of a long-standing practice by China-nexus
cyber espionage actors. This campaign and infection vector also should be strong
reminders of the importance of keeping up with updates and patches, of
externally facing devices or those exposed to the internet.
This campaign, and other similar campaigns, offer defenders a unique look into
the vulnerabilities and gaps many organizations constantly face when services
and networks are managed remotely. Given their configuration, it is very hard to
measure the scope and extent of malicious activity that results from exploiting
internet facing network devices, as we have little to no information that can
indicate those devices are compromised.
There is no mechanism to detect malicious processes running on such devices, nor
telemetry to proactively hunt for malicious images deployed on them following an
exploitation of a vulnerability. This makes network devices a blind spot for
security practitioners and allows attackers to hide in them and maintain stealth
for long periods, while also using them to gain foothold in a targeted network.
BOLDMOVE LINUX ANALYSIS
BOLDMOVE is a fully featured backdoor written in C and compiled with GCC 11.2.1.
When executed it performs a system survey and is capable of receiving commands
from a C2 server that in turn allow attackers to control the file system, spawn
a remote shell, or relay traffic via the infected host.
Based on indicators from the original Fortinet advisory, Mandiant was able to
identify multiple Linux versions of BOLDMOVE. There are a core set of features
across all observed instances of BOLDMOVE, Windows and Linux, and at least one
Linux sample contained extended capabilities enabling it to alter specific
behaviors and functionality of Fortinet devices, namely FortiGate Firewalls.
Core Features
Upon execution, BOLDMOVE attempts to form a session with a hard-coded C2 server.
Once it is established, it performs a system survey to collect information that
identifies the infected machine to the C2. Information collected is outlined in
Table 1.
Table 1: System Survey
Index
Field Value
0
Encoding used for the strings in the survey buffer: utf-8
1
Hard-coded string that seemingly identifies the sample or campaign, e.g.,
“Cora/c”
2
OS version string. For Linux-based operating systems this string has the format
“Linux <linux_version> <utsname.release> <utsname.machine> [<utsname.version>]”,
wherein the various fields are obtained from a call to the uname function. For
non-Linux operating systems this string has the format <utsname.sysname>
<utsname.release> <utsname.machine> [<utsname.version>]. The substring
<linux_version> is being constructed by reading data from one of the files
/etc/system-release, /etc/os-release (looking for the values of the NAME= and
VERSION= keys),/migadmin/ng/vpn/map/pkginfo.json (looking for the value enclosed
by the strings ver_s\":\" and \",\"chksum), /etc/debian_version.
3
Host name
4
Comma-separated list of <ip>/<mask> entries that represent network interfaces on
the host
5
The effective user ID of the backdoor's process (result of geteuid())
6
The process ID of the backdoor's process
7
String of the format
cwd=<current_dir>\r\nexecutable=<current_image_path>\r\nevent=wv\r\nserver=139.180.128.142:443\r\n/proc/version=<proc_version_data>
Subsequently, the C2 may send commands for execution that allow attackers to
control the infected device. Command codes across platforms and versions of
BOLDMOVE may vary but their core capabilities do not appear to change and
include:
Table 2: Supported commands
Major Command Code
Minor Command Code
Command
0x0
0x0
Frees all resources and terminates the backdoor
0x11
0x21
Lists information on all files in the system recursively, starting from the root
directory. In addition to the file's path, the information provided for each
file is based on output of the stat function and includes the following fields
of the stat structure (details on it can be found here): st_mode, st_size,
st_mtim.tv_sec, st_uid, st_gid.
0x11
0x0
Lists information on files recursively, starting from a given directory
0x12
0x0
Creates new directory via mkdir
0x13
0x0
Removes a directory via rmdir
0x14
0x10
Given an attacker provided file path, removes an existing file (if such exists)
and creates a new file instead
0x14
0x21
Closes a file descriptor that was opened for writing
0x14
0x32
Writes data to the created file
0x15
0x10
Gets a file's size before reading from it
0x15
0x21
Closes a file descriptor that was opened for reading
0x15
0x40
Reads data from a formerly opened file
0x20
0x0
Executes a shell command and sends back the output
0x20
0x33
Executes a shell command without sending back an output
0x21
0x10, 0x21, 0x43, 0x44, 0x45
Creates an interactive shell that leverages two pipes—one for processing shell
input from the server and another for sending back shell outputs, thus
supporting an asynchronous session between the C2 and the infected host. The
various subcommands handle actions involved in forming and maintaining the shell
session
0x22
0x10, 0x21, 0x32,0x33
Creates an interactive shell that leverages a single pipe for both passing
server sourced inputs to the shell and retrieving command outputs from it. The
formed shell works in a synchronous mode, wherein the pipe can be either probed
to retrieve shell output or written with input data in each access to it. The
various subcommands handle actions involved in forming and maintaining the shell
session
0x30
0x15, 0x16, 0x17, 0x18
Initiates a network traffic relay session. The C2 sends a target address as an
argument and further packets passed through sub-commands of this command are
used to pass data back and forth to and from the target server
0x53
0x10
Deletes the backdoor's image and creates a new one with the same name as
preparation for writing an updated backdoor image
0x53
0x21
Closes the file descriptor opened for writing a backdoor image update
0x53
0x32
Writes data sent from the C2 server to the formerly opened file descriptor that
corresponds to the updated backdoor image
0x54
0x0
Spawns a new process of the backdoor with the argument 1, which would in turn
attempt to execute an image with that name. The purpose of this action is
unclear.
0x55
0x0
Same as command 0x54
0x56
0x0
Serves as an echo command; receives a command packet from the server and replies
back with a packet that has the same major command code and blank body. Possibly
used to check the infected host's connectivity\state.
The Linux iteration of BOLDMOVE leverages several statically compiled libraries
to implement its functionality:
* An undetermined and likely custom library used for event handling
(reminiscent of libevent). It operates in a single-threaded mode, wherein
each action is scheduled and executed as an event callback. It may allude to
the fact that the developers aimed for supporting the infection of single
core devices, among others.
* WolfSSL (also compiled in a single-threaded mode), which facilitates SSL
encrypted communication to the C2 server.
* Musl libc
Upon failure, the malware reruns itself in a new process. In addition, if the
malware is executed with a command line argument, it would not initiate the
backdoor logic but rather attempt to execute the provided argument as a new
process.
Prior to starting the backdoor's logic, the malware calls the signal function in
order to ignore the signals SIGCHLD, SIGHUP, SIGPIPE.
EXTENDED FEATURES
The extended version of BOLDMOVE (MD5: 3191cb2e06e9a30792309813793f78b6)
contains all the aforementioned functionality but with additional features.
The extended version contains Execution Guardrails (T1480) by verifying that it
is executing from a specific path. It accomplishes this in the following manner:
1. Retrieving its own path from /proc/self/exe
2. Obtaining an inode from this resultant path via fstatat
3. Obtain a secondary inode from the statically defined path /bin/wxd
4. Comparing these two inode records
Figure 1: Path Execution Guardrails
The extended version contains a command that can perform Indicator Blocking
(T1562.006) by disabling Fortinet daemons miglogd and syslogd.It also contains a
command enabling it to patch memory address spaces of the same logging daemons.
Due to Mandiant being unable to obtain those executables from Fortinet devices,
we are unable to accurately determine the nature of those patches. However,
Mandiant assesses it is likely that they are intended to disable a logging
capability during the backdoor’s run-time. Each patch data is kept in the
following struct:
struct st_log_patch_struct
{
char fortigate_version_name[24];
__int64 target_addr1;
__int64 patch_bytes1;
__int64 target_addr2;
__int64 patch_bytes2;
}log_patch_struct;
Table 4 in Appendix A summarizes the targeted FortiGate Devices, their
corresponding patched addresses, and bytes.
Additionally, the extended version of BOLDMOVE contains a command capable of
modifying proprietary Fortinet logs on the system. It checks the following
paths:
* /tmp/log
* /var/log/log
* /var/log
For filenames matching the format:
* elog
* offset/elog.ofs
* offset/elog.<index>.cidx
One of BOLDMOVE’s extended variant commands is capable of decompressing,
parsing, and overwriting the undocumented structure pertaining to those
proprietary log files allowing the attacker to modify chosen parts of the logs.
The extended version contains a Watchdog like feature that may enable the
malware to persist across upgrades. To accomplish this, BOLDMOVE monitors two
files via the fstatat function:
/data/lib/libgif.so
/data/lib/libips.so
If the size of these files differs, BOLDMOVE performs the following actions:
* Creates a backup of the legitimate file /data/lib/libips.so stored at
/data/lib/libiptcp.so
* Overwrites the legitimate library /data/lib/libips.so with a trojanized
version of it located at /data/lib/libgif.so
Thus, if there were to be a system patch that replaced /data/lib/libips.so and
the malware was still executing, it would be able to undo the patch and maintain
execution.
In addition, the extended version contains a command that allows the attackers
to send requests to an internal Fortinet service, possibly to modify device
settings or expose internal parts of the associated network to the internet.
BOLDMOVE reads the contents of /dev/cmdb/vdom and parses its information to
retrieve a numeric value, which may be associated with a virtual domain on the
device. Then it creates a connection to “127.0.0.1”, localhost, over an attacker
provided port. This suggests that a server is expected to run on that port
locally. The command handler facilitates sending attacker-chosen data over the
established connection and sending back any retrieved response back to the C2.
Table 3 outlines some of the differences between the Windows and Linux variants
of BOLDMOVE that were identified by Mandiant:
Table 3: Differences between the Windows and Linux variants of BOLDMOVE
Windows
Linux
Compiler
C and compiled with MinGW
(GCC: (GNU) 10.2.1 20210227)
Compile Time: 2021-08-26 07:13:04
C and compiled with GCC 11.2.1 20211120
Compile Time: Unknown
SSL/TLS
No
Yes
UserAgent
curl/6.12.34
(this is a non-public version of libcurl, last v6 build was 6.5; also, the
malware itself does not make actual use of libcurl)
curl/6.12.34
C2
Private class C IP Address
Globally routable IP Address
Supports light weight systems
No
* Uses an event driven model wherein event callbacks are used instead of
threads. This is facilitated by a library like the one leveraged by the Linux
variant of BOLDMOVE, however the reason for using it in Windows is unclear.
Yes
* Uses an event driven model, wherein event callbacks are used instead of
threads
* Musl is compiled statically into the malware’s binary image.Musl has been
associated for its lighter utilization of resources in compraison to other
libc variants.
* WolfSSL that is used by the malware for encrypting traffic to the C2 is also
designed in part with embedded devices in mind.
Encryption
Established connection packets are encrypted with Salsa20:
Key: <8_byte_pseudorandom_nonce> || “e8dm_$Gb”
Established sessions are encrypted with AES128:
Key: <8_byte_pseudorandom_nonce> || “rg8P@TD(“
IV: <8_byte_pseudorandom_nonce> || “e5sm_$Gb”
Campaign
0.1c#2021-08-26 15:13:01
Charlotte/c
(other campaign names were observed in different samples of the Linux variant)
The survey and commands are functionally equivalent amongst both Linux and
Windows.
WINDOWS AND LINUX VARIANT COMPARISON
Table 3 shows the distinction between the Windows and Linux variants of
BOLDMOVE. Most importantly, the Windows variant appears to have been compiled a
year before the Linux variants. This discrepancy in time could indicate that the
attackers have been developing BOLDMOVE and possibly using it in the wild since
that time. The differences may offer insight into the functionality and intended
use of the malware.
* There are a few differences in choices of libraries that were statically
compiled into each of the variants. While the WolfSSL library was used in
Linux in order to encrypt traffic, the Windows variant does not make use of
it. In addition, the Linux version leverages a statically compiled Musl libc
library as opposed to standard libc functions imported as a result of
compiling the Windows variant with MinGW. The usage of the Musl libc in the
Linux variant along with a library that facilitates an event driven
communication with the C2 server, could indicate that the Linux version is
generally intended to be used on embedded devices, and devices with low
processing power.
* Mandiant assesses that the BOLDMOVE Linux variant was deployed on Fortinet
devices after a successful exploitation of CVE-2022-42475. However, the
method for initial infection from the Windows variant is currently unclear.
With that in mind, a private class C IP address (192.168.120[.]206) that was
used in the Windows variant could indicate that it was used to communicate
with an infected device inside the network following lateral movement or was
merely used for testing.
ACKNOWLEDGMENT
Mandiant would like to acknowledge Fortinet’s assistance in sharing information,
coordinating, and analyzing Mandiant’s findings to verify its veracity.
APPENDIX A: PATCHES
Table of patches made in memory addresses of miglogd and syslogd logging daemons
on various FortiGate versions by the extended Linux version of the BOLDMOVE
backdoor. Those patches are made seemingly in order to weaken logging mechanisms
during the malware’s run-time.
Table 4: Patches made in memory addresses of miglogd and syslogd logging daemons
on various FortiGate versions
FortiGate Version
Address 1
Bytes Written to Address 1
Address 2
Bytes Written to Address 2
FG100F v7.0.5
0x1E4BFA8
E0 03 02 AA 7F 0A 00 B9
0x25A6A50
E0 03 02 AA 1F 00 00 71
FG100F v7.0.7
0x1E88B68
E0 03 02 AA 7F 0A 00 B9
0x2604C90
E0 03 02 AA 1F 00 00 71
FG101F v6.4.10
0x1A5DD80
E0 03 02 AA 7F 0A 00 B9
0x213C154
E0 03 02 AA 1F 00 00 71
FG101F v6.4.8
0x1A2FA90
E0 03 02 AA 7F 0A 00 B9
0x20F0C00
E0 03 02 AA 1F 00 00 71
FG200D v6.0.11
0x1E4F9CC
48 89 D0 90 90 83 F8 00
0x0EC73DF
48 89 D0 90 90 49 89 C7
FG200E v6.0.12
0x1DB524D
48 89 D0 90 90 83 F8 00
0x0F03262
48 89 D0 90 90 49 89 C5
FG200E v6.4.4
0x19409FD
48 89 D0 90 90 83 F8 00
0x1FABDDA
48 89 D0 90 90 85 C0 7F
FG200E v7.0.4
0x1E65991
48 89 D0 90 90 C7 43 08
0x25D5F31
48 89 D0 90 90 85 C0 7F
FG200E v7.0.8
0x1ECAE81
48 89 D0 90 90 C7 43 08
0x2665951
48 89 D0 90 90 85 C0 7F
FG200E v7.2.0
0x1F3AFD1
48 89 D0 90 90 C7 43 08
0x26EB5C1
48 89 D0 90 90 85 C0 7F
FG201F v6.4.7
0x1AB581D
48 89 D0 90 90 83 F8 00
0x217156A
48 89 D0 90 90 85 C0 7F
FG201F v6.4.9
0x1ABF90D
48 89 D0 90 90 83 F8 00
0x218388B
48 89 D0 90 90 85 C0 7F
FG240D v6.0.12
0x1E5558C
48 89 D0 90 90 83 F8 00
0x0EC753F
48 89 D0 90 90 49 89 C7
FG3H0E v6.2.10
0x2019ABD
48 89 D0 90 90 83 F8 00
0x1FB826B
48 89 D0 90 90 85 C0 7F
FG5H0E v6.0.5
0x1CF537D
48 89 D0 90 90 83 F8 00
0x0EBD7B0
48 89 D0 90 90 49 89 C5
FG6H1E v6.4.8
0x1A1E21D
48 89 D0 90 90 83 F8 00
0x20CE65A
48 89 D0 90 90 85 C0 7F
FG6H1E v6.4.9
0x1A2862D
48 89 D0 90 90 83 F8 00
0x20DF7FB
48 89 D0 90 90 85 C0 7F
FG6H1E v7.2.1
0x20AFCE1
48 89 D0 90 90 C7 43 08
0x28BF201
48 89 D0 90 90 85 C0 7F
FG800D v6.2.10
0x20E18ED
48 89 D0 90 90 83 F8 00
0x2080AEB
48 89 D0 90 90 85 C0 7F
FG800D v6.2.11
0x20E1B2D
48 89 D0 90 90 83 F8 00
0x2080D2B
48 89 D0 90 90 85 C0 0F
FG800D v7.0.8
0x1F61271
48 89 D0 90 90 C7 43 08
0x272DCF1
48 89 D0 90 90 85 C0 7F
FGT5HD v6.4.10
0x1A317CD
48 89 D0 90 90 83 F8 00
0x210250B
48 89 D0 90 90 85 C0 7F
FGT60F v6.4.10
0x1953248
E0 03 02 AA 7F 0A 00 B9
0x1FFD6A4
E0 03 02 AA 1F 00 00 71
FGT60F v6.4.4
0x1904898
E0 03 02 AA 7F 0A 00 B9
0x1F7BF88
E0 03 02 AA 1F 00 00 71
FGT60F v6.4.8
0x192D018
E0 03 02 AA 7F 0A 00 B9
0x1FB7450
E0 03 02 AA 1F 00 00 71
FGT60F v6.4.9
0x193B0B0
E0 03 02 AA 7F 0A 00 B9
0x1FFC304
E0 03 02 AA 1F 00 00 71
FGT80F v6.4.10
0x19F6360
E0 03 02 AA 7F 0A 00 B9
0x20ADA54
E0 03 02 AA 1F 00 00 71
VM64 v6.2.3
0x1A64193
48 89 D0 90 90 83 F8 00
0x0F2F646
48 89 D0 90 90 85 C0 48
APPENDIX B: IOCS
* Basic BOLDMOVE
* MD5: 12e28c14bb7f7b9513a02e5857592ad7
* SHA256: 3da407c1a30d810aaff9a04dfc1ef5861062ebdf0e6d0f6823ca682ca08c37da
* Extended BOLDMOVE
* MD5: 3191cb2e06e9a30792309813793f78b6
* SHA256: 0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb
* Windows version of BOLDMOVE
* MD5: 54bbea35b095ddfe9740df97b693627b
* SHA256: 61aae0e18c41ec4f610676680d26f6c6e1d4d5aa4e5092e40915fe806b679cd4
Link to RSS feed
HAVE QUESTIONS? LET'S TALK.
Mandiant experts are ready to answer your questions.
Contact Us
* Follow us
*
*
*
*
FOOTER
* Mandiant Advantage Platform
* Platform Overview
* Automated Defense
* Breach Analytics for Chronicle
* Security Validation
* Ransomware Defense Validation
* Attack Surface Management
* Threat Intelligence
* Digital Threat Monitoring
* Managed Defense
* Solutions
* Ransomware
* Industrial Controls & OT
* Cyber Risk Management
* Digital Risk Protection
* Insider Threats
* Cyber Security Skills Gap
* Election Security
* Government Cyber Security
* Manufacturing
* Cyber Threat Visibility
* Attack Surface Visibility
* Cyber Preparedness
* Detection and Response
* Financial Services Cyber Security
* Services
* Services Overview
* Incident Response
* Strategic Readiness
* Cyber Security Transformation
* Technical Assurance
* View all Services (48)
* Expertise on Demand
* Mandiant Academy
* Overview
* Education Formats
* Upcoming Courses
* On-Demand Courses
* Certifications
* ThreatSpace Cyber Range
* Free Course Sneak Peaks
* Resources
* Resource Center
* Blog
* Podcasts
* Customer Stories
* Reports
* Webinars
* Insights
* eBooks
* Infographics
* White Papers
* Datasheets
* Company
* About Us
* Careers
* Events
* Media Center
* Noteholder and Preferred Shareholder Documents
* Partners
* Partners Overview
* Technology Partners
* Cyber Risk Partners
* Service Partners
* Channel Partners
* Partner Portal
* Connect with Mandiant
* Contact Us
* Report an Incident
* Customer Support
* Email Preferences
* Customer Success
* Media Inquiries
© Copyright 2023 Mandiant. All rights reserved.
BOTTOM
* Website Privacy Policy
* Terms & Conditions
* Compliance
* Site Map
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts. Privacy Policy
Cookies Settings Reject All Accept All Cookies
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
REQUIRED COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button
PERFORMANCE COOKIES
Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Reject All Confirm My Choices