Threat Report

SHOE RACK A post-exploitation tool for remote shell access & TCP tunnelling through a victim device

Threat Overview

SHOE RACK is a sophisticated malware developed in Go 1.18, designed for post-exploitation activities. It connects to a custom SSH server at a hardcoded C2 URL, enabling remote interaction with the victim device. The malware utilizes DNS-over-HTTPS to locate its C2 server’s IP address and has been observed targeting FortiGate 100D series firewalls. SHOE RACK supports various channel types, including ‘session’ and a non-standard ‘jump’ type, allowing for reverse-SSH tunneling. It also offers TCP tunneling capabilities, enabling actors to pivot into LAN networks after compromising perimeter devices. While some operational security measures are implemented, the malware’s network communications are distinctive due to its impersonation of an outdated SSH version.

Detailed Analysis

SHOE RACK is a post-exploitation tool that provides remote shell access and TCP tunneling capabilities through compromised devices. The malware is written in Go 1.18, which is known for its efficiency and cross-platform compatibility. The use of Go allows the malware to be easily compiled for different operating systems, making it a versatile tool for attackers.

The malware connects to a custom SSH server at a hardcoded C2 URL. This server acts as the command and control center, allowing the attacker to send commands to the infected device and receive data back. The use of a custom SSH server ensures that the communication between the malware and the C2 server is encrypted, making it difficult for security tools to detect and analyze the traffic.

SHOE RACK utilizes DNS-over-HTTPS to locate its C2 server’s IP address. DNS-over-HTTPS is a protocol that encrypts DNS queries, making it difficult for attackers to intercept and manipulate DNS responses. By using DNS-over-HTTPS, the malware ensures that the location of the C2 server remains hidden from prying eyes.

The malware has been observed targeting FortiGate 100D series firewalls. These firewalls are commonly used in enterprise networks to provide security and network management. By compromising these devices, attackers can gain access to the internal network, allowing them to move laterally and compromise other systems.

SHOE RACK supports various channel types, including ‘session’ and a non-standard ‘jump’ type. The ‘session’ channel type allows the attacker to establish a remote shell on the infected device, providing direct access to the system. The ‘jump’ channel type is used for reverse-SSH tunneling, allowing the attacker to pivot into other networks after compromising a perimeter device.

The malware also offers TCP tunneling capabilities. TCP tunneling allows the attacker to create a secure tunnel between the infected device and the C2 server, enabling the transfer of data and commands. This capability is particularly useful for attackers who need to exfiltrate data from the compromised network.

Operational Security Measures

While SHOE RACK implements some operational security measures, its network communications are distinctive due to its impersonation of an outdated SSH version. This makes it easier for security tools to detect and analyze the malware’s traffic. Additionally, the use of a hardcoded C2 URL makes it difficult for the malware to adapt to changes in the network environment, potentially exposing the C2 server to detection and takedown.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by SHOE RACK. These include:

• Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between segments.
• Regular Updates: Keep all systems and software up to date with the latest security patches. This includes firewalls, operating systems, and applications. Regular updates help to address known vulnerabilities that can be exploited by malware like SHOE RACK.
• Intrusion Detection Systems: Deploy intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity. IDS can help to detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.
• Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. Endpoint protection can help to prevent the initial infection and limit the spread of malware within the network.
• Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.
• Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by the malware.
• Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to SHOE RACK and other sophisticated malware threats