Boldmove Linux Malware used to bypass Fortinet Devices

Chinese hackers are suspected to have exploited the FortiOS SSL VPN vulnerability in December. This zero-day attack targeted a European government as well an African MSP using a custom ‘BOLDMOVE Linux’ and Windows malware.

Fortinet quietly patched the vulnerability in November, tracking it as CVE-2022-242475. Fortinet made the disclosure in December , fearing that the flaw could be exploited by attackers.

Remote unauthenticated attackers can remotely crash target devices or execute code.

details about the exploits of it until late November. It explained that hackers had taken advantage of government agencies with customized malware that could run on FortiOS.

They were determined to maintain persistence on exploited device by using custom malware to fix FortiOS log processes to remove specific log entries or disable them altogether.

Mandiant published yesterday a report on a Chinese spying campaign that exploited the FortiOS flaw from October 2022. It used a new “BOLDMOVE” malware specifically designed to attack FortiOS devices.

BOLDMOVE is now available

BOLDMOVE, a fully-featured backdoor in C which allows Chinese hackers to take control of the device at a higher level. The Linux version was specifically designed to work on FortiOS devices.

Mandiant found several BOLDMOVE versions with different capabilities. However, the same core features were observed in all of these samples.

  • System surveying.
  • Receive commands from C2 (command-and-control) server.
  • Spreading a remote shell onto the host.
  • Traffic relaying through the compromised device.

BOLDMOVE supports commands that allow threat actors remote access to files and execute commands. Interactive shell creation is also possible. Backdoor control can be controlled with these commands.

Although the Windows and Linux versions are almost identical, they use different libraries. Mandiant thinks that the Windows version was created in 2021. This is nearly a year ahead of the Linux version.

Windows and Linux variants comparison


The most striking difference between Linux and Windows is the fact that FortiOS-specific functionality is included in one of the Linux versions.

A Linux BOLDMOVE version, for example, allows an attacker to alter Fortinet logs or disable all logging daemons (miglogd, syslogd), making it difficult for defenders and to trace the intrusion.

This version of BOLDMOVE also allows attackers to request internal Fortinet services.

Unpatched devices that allow internet access will be targeted by the Chinese cyber-espionage organization.

It’s difficult for security personnel to see what is happening in the devices. Mandiant claims that native security systems don’t work well enough to safeguard them.

states that there is no way to identify malicious software running on these devices and neither telemetry for proactively hunting out malicious images after exploiting a vulnerability.

This makes network devices an inaccessible area for security professionals and gives attackers the ability to conceal in them for extended periods of stealth while using them to gain access to a targeted network.

A custom-made backdoor was created for those devices to demonstrate the threat actor’s deep knowledge of the operation of perimeter networks and the access opportunities they offer.