NCSC Warns of SHOE RACK Malware Targeting Fortinet Firewalls via DOH & SSH Protocols
The National Cyber Security Centre (NCSC) has issued a critical alert regarding a newly identified malware, dubbed SHOE RACK, which has been observed targeting Fortinet firewalls and other perimeter devices.
Developed using the Go 1.18 programming language, this malicious software demonstrates a high level of sophistication by leveraging DNS-over-HTTPS (DoH) for command and control (C2) resolution and employing custom SSH extensions for interaction with compromised systems.
Cybersecurity experts have linked SHOE RACK to a modified version of the open-source reverse SSH implementation ‘NHAS,’ indicating that threat actors have adapted existing tools to suit their malicious objectives.
Emerging Threat Exploits DNS-over-HTTPS
The malware was recovered in both UPX-packed and unpacked forms from a victim device, underscoring the actor’s efforts to obfuscate their payload and evade detection.
SHOE RACK initiates its operation by selecting a random legitimate DNS server, such as Google’s 8.8.8.8, Cloudflare’s 1.1.1.1, or Quad9’s 9.9.9.9, among others, to resolve the MX record of its hardcoded C2 domain, phcia.duckdns[.]org, via DoH.
This approach not only helps mask its network traffic within encrypted HTTPS streams but also complicates traditional DNS-based detection mechanisms.
Once the C2 server’s IP address is resolved, the malware establishes a TCP/TLS connection and initiates an SSH-2.0 handshake, deceptively advertising itself as an outdated ‘SSH-1.1.3’ client.
This unusual behavior, coupled with the malware waiting for the C2 server to open the SSH channel, deviates from standard SSH protocols and serves as a key indicator of compromise.
Sophisticated Reverse SSH Tunneling
The supported channel types ‘session’ and a non-standard ‘jump’ enable a range of malicious activities, from executing commands and opening interactive shells to creating reverse SSH tunnels that transform the compromised device into an SSH server.
Additionally, the ‘direct-tcpip’ channel facilitates TCP tunneling, allowing threat actors to route traffic through the victim’s endpoint, potentially enabling lateral movement into local area networks (LANs).
Analysis of the malware’s binary reveals two versions: an UPX-packed executable named ‘ldnet’ with a file size of approximately 4.07 MB and an unpacked version sized at 9.38 MB.
The metadata, including MD5, SHA-1, and SHA-256 hashes, has been documented to aid in identification and forensic investigations.
According to the Report, The NCSC believes that the threat actor customized SHOE RACK to pivot into internal networks after breaching perimeter defenses, a tactic indicative of advanced persistent threat (APT) behavior.
While the use of UPX packing shows some consideration for operational security, the impersonation of an outdated SSH version creates unique network signatures that organizations can monitor for early detection.
The NCSC urges network administrators to scrutinize traffic for connections to the identified C2 domain and to implement robust endpoint protection mechanisms to mitigate this emerging threat.
Indicators of Compromise (IoC)
| Type | Description | Value |
|---|---|---|
| Domain | C2 Domain | phcia.duckdns[.]org:443 |
| Filename | Malware Name | ldnet |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
