Wednesday, May 28, 2025
HomeExploitChinese Hackers Exploit FortiOS Zero-Day Vulnerability to Deploy New Malware

Chinese Hackers Exploit FortiOS Zero-Day Vulnerability to Deploy New Malware

Published on

SIEM as a Service

Follow Us on Google News

Mandiant recently reported that a group of hackers originating from China utilized a vulnerability within FortiOS SSL-VPN that had only recently been discovered, and marked as a zero-day exploit, in December. 

The hackers targeted both a government organization in Europe and an African-based managed service provider with a new, specifically designed malware called ‘BOLDMOVE’ that is capable of infecting both Linux and Windows operating systems.

The vulnerability, designated as CVE-2022-42475, was addressed by Fortinet in November without any public announcement. 

- Advertisement - Google News

However, in December, Fortinet made the vulnerability publicly known and urged their customers to take action in patching their devices, as it had been discovered that malicious actors were actively taking advantage of the flaw.

An unauthenticated attacker can exploit the flaw remotely and gain remote code execution capabilities or crash targeted devices from a remote location.

It was only recently that Fortinet provided further insights into how the vulnerability was exploited. They revealed that malicious actors had been targeting government organizations by utilizing custom-made malware, tailored to function on FortiOS devices, specifically.

The hackers aimed to maintain a foothold on the targeted devices by utilizing the custom malware to manipulate the FortiOS logging processes. The malware was programmed to patch the logging processes so as to remove certain entries or disable the logging altogether, in order to evade detection.

BOLDMOVE Malware

In December 2022, Mandiant discovered the BOLDMOVE backdoor which was being used to Exploit FortiOS Zero-Day (CVE-2022-4947) vulnerability.

The malware BOLDMOVE, which is written in the programming language C, has versions that can run on both Windows and Linux operating systems. The Linux variant of the malware specifically targets Fortinet devices, as it is able to read data from a file that is specific to Fortinet.

Several versions of the BOLD MOVE have been identified by Mandiant, varying in their capabilities, but a core set of features continues to be present in all samples, including the following:-

  • Perform system survey
  • Receive commands from the C2 server
  • Spawn a remote shell
  • Relay traffic via the infected host

BOLDMOVE supports a number of commands that allow threat actors to perform the following things remotely:-

  • Manage files
  • Execute commands
  • Interactive shell creation
  • Backdoor control

It is believed that the Windows version of the malware was compiled almost a year before the Linux version in 2021. This is almost a year earlier than the Linux version, but both of them operate with different libraries.

Extended Version of BOLDMOVE

All the functionality outlined above is available in the extended version of BOLDMOVE, along with a number of new functions. Moreover, the Execution Guardrails (T1480) is included in the extended version, which verifies that a specific path is used for execution. 

As a result, the following steps are taken to accomplish this goal:-

  • Retrieving its own path from /proc/self/exe
  • Obtaining an inode from this resultant path via fstatat
  • Obtain a secondary inode from the statically defined path /bin/wxd
  • Comparing these two inode records

It is important to note that the Linux version of the software has a significant feature that allows it to work with FortiOS devices specifically, as opposed to the Windows version, and it’s one of the most significant differences between them.

IOCs

  • Basic BOLDMOVE
  • MD5: 12e28c14bb7f7b9513a02e5857592ad7
  • SHA256: 3da407c1a30d810aaff9a04dfc1ef5861062ebdf0e6d0f6823ca682ca08c37da
  • Extended BOLDMOVE
  • MD5: 3191cb2e06e9a30792309813793f78b6
  • SHA256: 0184e3d3dd8f4778d192d07e2caf44211141a570d45bb47a87894c68ebebeabb
  • Windows version of BOLDMOVE
  • MD5: 54bbea35b095ddfe9740df97b693627b
  • SHA256: 61aae0e18c41ec4f610676680d26f6c6e1d4d5aa4e5092e40915fe806b679cd4

Network Security Checklist – Download Free E-Book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Use Fake DocuSign Notifications to Steal Corporate Data

DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95%...

Government Calls on Organizations to Adopt SIEM and SOAR Solutions

In a landmark initiative, international cybersecurity agencies have released a comprehensive series of publications...

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a...

Microsoft Alerts on Void Blizzard Hackers Targeting Telecommunications and IT Sectors

Microsoft Threat Intelligence Center (MSTIC) has issued a critical warning about a cluster of...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

WordPress TI WooCommerce Wishlist Plugin Flaw Puts Over 100,000 Websites at Risk of Cyberattack

A severe security flaw has been identified in the TI WooCommerce Wishlist plugin, a...

Hackers Exploit Craft CMS Vulnerability to Inject Cryptocurrency Miner Malware

Threat actors have exploited a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32432,...

APT36 and Sidecopy Hackers Target India’s Critical Infrastructure with Malware Attacks

Seqrite Labs, India’s largest malware analysis facility, has uncovered a sophisticated campaign dubbed Operation...