NCSC Issues on SHOE RACK Malware Exploiting DOH & SSH Protocols to Target Fortinet Firewalls

The National Cyber Security Centre (NCSC) has issued a technical advisory highlighting the discovery of a sophisticated Linux malware known as SHOE RACK, engineered to compromise Fortinet firewall devices through a combination of DNS-over-HTTPS (DOH) and custom Secure Shell (SSH) protocols.

The malware, developed in Go 1.18 and detected in both UPX-packed and unpacked forms, demonstrates the malicious actor’s in-depth operational security and persistence mechanisms.

Modified Open-Source Tooling

SHOE RACK is believed to be built upon NHAS, a public domain reverse SSH implementation in GoLang, significantly modified for enhanced stealth and flexibility.

Once deployed, the malware initiates its communication sequence by randomly selecting a legitimate public DNS resolver ranging from Google, Cloudflare, NextDNS, Quad9, to OpenDNS for covert lookups.

Utilizing DNS-over-HTTPS, it queries the MX record of its hardcoded command and control (C2) domain, phcia.duckdns.org, effectively masking its intent under encrypted traffic.

Upon resolving the C2’s IP address, SHOE RACK establishes a TCP/TLS tunnel and upgrades the connection to SSH, advertising a deliberately outdated version string (‘SSH-1.1.3’) to evade standard detection signatures.

In a deviation from normal SSH channel operations, the malware does not initiate any channels itself, instead waiting for instructions from the C2 server effectively acting as a stealth client awaiting remote commands.

Dual-Mode Channel Exploitation for Network Pivoting

SHOE RACK supports two primary SSH channel types ‘session’ and a custom ‘jump’ channel.

The standard ‘session’ channel grants the attacker a suite of capabilities including interactive shell access, file transfers via SFTP, and privilege escalation through setuid and setgid syscalls.

This level of access allows for the complete remote administration of compromised devices.

More notably, the custom ‘jump’ channel reconfigures the established session, utilizing the persistent connection to create a reverse SSH tunnel.

This transforms the malware into a de facto SSH server, facilitating covert, bi-directional communication channels without the need for new inbound connections that could trigger security alerts.

The direct-tcpip capability within this channel enables attackers to tunnel arbitrary outbound traffic, potentially allowing them to move laterally across internal networks or exfiltrate sensitive data.

Operational security measures are evident in SHOE RACK’s packing with UPX and its avoidance of common SSH fingerprints.

The malware’s structure indicates a clear intent to achieve persistence within a target environment, particularly to pivot from perimeter devices deeper into LAN segments.

This approach represents a deliberate escalation in tradecraft, with attackers leveraging legitimate protocols and public infrastructure to obfuscate their command and control activities.

The NCSC assesses that SHOE RACK was developed by actors who selectively adapt open-source tools, incrementally enhancing them for robustness and stealth.

The unusual combination of encrypted DNS communications and legacy SSH emulation is noted to result in unique network signatures, providing a potential avenue for detection despite the malware’s sophisticated concealment mechanisms.

Organizations are urged to review network traffic for these indicators, particularly focusing on encrypted DNS queries and suspicious SSH connections advertising outdated version strings, in order to proactively protect infrastructure from this evolving threat.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates