The UK’s National Cyber Security Centre (NCSC) has issued a critical warning about a new malware campaign called “UMBRELLA STAND.” This highly sophisticated malware specifically targets Fortinet FortiGate 100D series firewalls that are exposed to the internet.
This threat marks a major increase in attacks on network infrastructure. The malware is designed to gain long-term access to compromised networks by exploiting vulnerabilities in the targeted devices.
UMBRELLA STAND uses advanced techniques to communicate with its command and control servers. It sends fake TLS traffic over port 443 but skips the usual TLS handshake process. Instead, it directly transmits encrypted data to hardcoded IP addresses, like 89.44.194.32. This method helps attackers hide malicious activity among normal HTTPS traffic, making it hard for network administrators to detect.
NCSC experts found that UMBRELLA STAND is deployed with a set of publicly available tools, including BusyBox 1.3.11, nbtscan for NetBIOS scanning, tcpdump for capturing network traffic, and parts of openLDAP for directory access.
The malware has a modular design with multiple parts working together. The main network communication module is called “blghtd,” while a watchdog process named “jvnlpe” keeps the malware running persistently.
The attackers use encryption to hide strings and rename processes with generic Linux-like names such as “/bin/httpsd” to avoid suspicion.
Once inside a network, UMBRELLA STAND gives attackers powerful remote control. It can run shell commands through both ash shell and BusyBox environments. It also includes safeguards to stop long-running tasks after 900 seconds, reducing the chance of being noticed by administrators.
Advanced Persistence and Stealth
UMBRELLA STAND’s most worrying feature is its ability to remain on infected devices even after reboots.
It achieves this by altering the device’s boot process and core operating system functions. The malware hooks into the Fortinet reboot routine, replacing the original with its own startup code.
Additionally, it uses an ldpreload trick by modifying the “/etc/ld.so.preload” file to load a malicious library named “libguic.so” into new processes. This library checks if the running process is “usbmux” and, if so, executes an initialization component called “cisz.” If not, it silently exits. This ensures the malware reloads itself whenever certain system processes start.
UMBRELLA STAND also exploits Fortinet’s own security features to hide its presence. It modifies the “/bin/sysctl” binary to replace references to the trusted directory “/data/etc/.ftgd_trusted/” with a hidden directory “/data2/.ztls/.” Because FortiOS hides the trusted directory from administrators, this change makes the malware’s files invisible during normal directory checks.
