CASTLETAP

Description

(Mandiant) Analysis on the FortiGate firewalls identified an additional malicious file /bin/fgfm. Analysis of /bin/fgfm determined it to be a passive backdoor, named CASTLETAP, that listened for a specialized ICMP packet for activation. The threat actor likely named the file ‘fgfm’ in an attempt to disguise the backdoor as the legitimate service ‘fgfmd’ which facilitates communication between the FortiManager and FortiGate firewalls.

Once executed, CASTLETAP created a raw promiscuous socket to sniff network traffic. CASTLETAP then filtered and XOR decoded a 9-byte magic activation string in the payload of an ICMP echo request packet.

Names

Name
CASTLETAP

Type

Backdoor

Information

https://cloud.google.com/blog/topics/threat-intelligence/fortinet-malware-ecosystem/

Other Information

Uuid

cc32e2b8-7562-4241-929f-450ed69be9cb

Last Card Change

2024-08-26

Threat Intelligence Garden

Explorer

CASTLETAP

CASTLETAP

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks