The UK’s National Cyber Security Centre (NCSC) has issued a critical warning about a sophisticated post-exploitation malware strain dubbed SHOE RACK, which leverages an unusual combination of DNS-over-HTTPS (DOH) and SSH protocols to establish persistent backdoor access on compromised systems.
This malware specifically targets FortiGate 100D series firewalls manufactured by Fortinet, representing a significant threat to enterprise network security infrastructure.
SHOE RACK operates as a reverse shell tool that enables attackers to maintain remote access and establish TCP tunneling capabilities through victim devices.
The malware demonstrates advanced evasion techniques by masquerading legitimate network protocols, making detection particularly challenging for traditional security monitoring systems.
Its deployment strategy focuses on perimeter network devices, suggesting threat actors are attempting to establish footholds for lateral movement within corporate networks.
NCSC analysts identified that SHOE RACK was developed using the Go 1.18 programming language and appears to be based partially on a public domain reverse SSH GoLang implementation known as ‘NHAS’.
The malware sample recovered from victim systems was distributed as a UPX-packed executable named “ldnet” with the SHA-256 hash 5c5843ae833cab1417a0ac992b5007fce40158fc3afec4c6e4fd0e932de07177.
Upon execution, the malware establishes connections to its command and control infrastructure using a hardcoded domain phcia.duckdns.org on port 443.
The malware’s network infrastructure demonstrates sophisticated operational security considerations.
SHOE RACK randomly selects from multiple legitimate DNS providers including Google DNS, Cloudflare, NextDNS, Quad9, and OpenDNS to resolve its C2 server’s IP address using DNS-over-HTTPS queries.
This technique helps the malware blend with normal network traffic while avoiding DNS-based detection mechanisms.
Advanced SSH Protocol Manipulation
The most distinctive aspect of SHOE RACK lies in its unconventional implementation of SSH protocol communications.
After establishing a TCP/TLS connection to its C2 server, the malware initiates an SSH-2.0 connection while falsely advertising an outdated SSH version identifier of ‘SSH-1.1.3’.
This version impersonation serves as a potential network fingerprinting opportunity for security teams, as legitimate SSH implementations have not used such antiquated version strings for decades.
The malware’s SSH implementation includes two primary channel types: ‘session’ for standard shell operations and a non-standard ‘jump’ channel that creates reverse-SSH tunnels.
The jump functionality enables the malware to effectively reverse roles, transforming itself into an SSH server despite initially acting as the client.
This bidirectional capability allows threat actors to establish multiple connection paths and maintain persistence even if primary communication channels are disrupted.
Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free tria
link