Leaked KeyPlug Malware Infrastructure Contains Exploit Scripts to Hack Fortinet Firewall and VPN

A server briefly linked to the notorious KeyPlug malware has inadvertently exposed a comprehensive arsenal of exploitation tools specifically designed to target Fortinet firewall and VPN appliances.

The infrastructure, which security researchers have attributed to the RedGolf threat group (overlapping with APT41), was accessible for less than 24 hours before being secured, providing a rare glimpse into advanced persistent threat operations aimed at critical network infrastructure.

The exposed server at IP 45.77.34[.]88 revealed multiple exploit scripts targeting vulnerabilities in Fortinet devices, including what appears to be tools leveraging CVE-2024-23108 and CVE-2024-23109.

These exploits specifically abuse unauthenticated WebSocket endpoints in FortiOS to execute privileged CLI commands, potentially giving attackers complete control over targeted appliances.

The brief exposure underscores the sophisticated capabilities of the threat actor and their focus on high-value network security devices.

Hunt.io researchers noted that the server shared a WolfSSL-issued TLS certificate with five additional servers, all hosted on Vultr, creating a traceable pattern of infrastructure.

Their AttackCapture system indexed the server during its brief exposure, preserving critical evidence that might otherwise have been lost when the misconfiguration was corrected.

Among the most concerning findings were Python-based reconnaissance scripts designed to scan for and fingerprint Fortinet devices.

One such script, identified as “1.py,” systematically probes potential targets for Fortinet login portals and extracts version-specific JavaScript hash values that can be used to determine exploit compatibility. The script extracts hashes using the logic:-

script_tag = soup.select_one("script[src^='/sslvpn/js/login.js']")
Hash = script_tag['src'].split('=')[1]

A more aggressive exploit tool named “ws_test.py” demonstrated functionality for bypassing Fortinet authentication by spoofing local traffic. The script uses a hardcoded header to simulate local access:-

headers = {'Forwarded': 'for=127.0.0.1; by=127.0.0.1;', 'User-Agent': 'Node.js'}

This bypass technique, when successful, allows execution of privileged commands such as “show full-configuration” without any authentication, potentially compromising the entire device.

The leaked infrastructure also contained evidence of targeting focused on a major Japanese company, Shiseido. Reconnaissance output files revealed nearly one hundred domains associated with the company, including login portals, development environments, and identity providers.

This targeting suggests the threat actor may be engaged in corporate espionage or preparing for a significant supply chain compromise.

The analysis revealed a particularly sophisticated PHP-based webshell called “bx.php” that uses encryption to hide command execution.

The webshell reads encrypted payloads directly from HTTP POST bodies, decrypts them in memory, and executes commands dynamically, leaving minimal evidence on disk or in logs.

Security experts recommend immediate patching of all Fortinet devices, monitoring for WebSocket handshake requests to suspicious endpoints, and reviewing historical logs for signs of exploitation attempts using these now-exposed techniques.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy