KeyPlug Malware Server Leak Exposes Fortinet Firewall and VPN Exploitation Tools

Cybersecurity researchers have stumbled upon a treasure trove of operational tools and scripts linked to the KeyPlug malware, associated with the threat group RedGolf, also known as APT41. 

The server, which was inadvertently exposed for less than 24 hours, provided an unprecedented glimpse into the sophisticated tactics, techniques, and procedures (TTPs) employed by this advanced persistent threat actor.

Exposure of Staging Infrastructure

The server’s brief exposure allowed experts to capture a snapshot of what appears to be an active staging ground for cyberattacks. 

Among the most critical findings were scripts targeting Fortinet firewall and VPN infrastructures. 

These tools included a Python script named 1.py, designed specifically to perform reconnaissance against Fortinet appliances by probing for version-specific JavaScript hash values. 

This information can be critical in determining which exploit or attack vectors would be most effective against a particular setup.

Further examination of the directory revealed script.py, a tool for fingerprinting content delivery networks (CDNs) to identify systems directly internet-facing, potentially for follow-on targeting. 

Another standout was ws_test.py, which automates the exploitation of Fortinet’s WebSocket CLI access vulnerabilities, specifically focusing on unauthenticated endpoints to execute CLI commands surreptitiously. 

According to the Report, this script was particularly noted for its ability to bypass access controls by spoofing local IP traffic.

Malicious Payloads and Reverse Shells

The directory also disclosed bx.php, an encrypted PHP webshell designed for remote command execution. 

Its capabilities include receiving encrypted command payloads, decrypting them on-the-fly, and executing commands without leaving easily traceable footprints. 

Additionally, client.ps1, a PowerShell reverse shell script, was found, capable of maintaining encrypted communications over TCP to manage post-exploitation activities discreetly.

To manage these operations, an ELF binary named Server was also part of the toolkit, acting as an HTTP listener on port 8080. 

This listener allows operators to interact with established sessions, manage commands, and maintain operational control over compromised systems.

This leak underscores the importance of monitoring even short-lived infrastructure for malicious activities. 

The tools showcased not only the depth of RedGolf/APT41’s capabilities but also highlighted potential weaknesses in commonly used enterprise security solutions like Fortinet’s products. 

Cybersecurity professionals are urged to ensure their systems are updated with the latest patches, particularly those affecting SSL VPN interfaces, and to monitor for automated access attempts that could signify similar reconnaissance or exploitation efforts.

The exposure of this server marks a significant event in the ongoing cat-and-mouse game between cybersecurity defenders and sophisticated threat actors, providing both insights into adversary tactics and actionable intelligence to bolster defensive measures.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!