SHOE RACK: A post-exploitation tool for remote shell access & TCP tunnelling through a victim device

SUMMARY :

SHOE RACK is a sophisticated malware developed in Go 1.18, designed for post-exploitation activities. It connects to a custom SSH server at a hardcoded C2 URL, enabling remote interaction with the victim device. The malware utilizes DNS-over-HTTPS to locate its C2 server's IP address and has been observed targeting FortiGate 100D series firewalls. SHOE RACK supports various channel types, including 'session' and a non-standard 'jump' type, allowing for reverse-SSH tunneling. It also offers TCP tunneling capabilities, enabling actors to pivot into LAN networks after compromising perimeter devices. While some operational security measures are implemented, the malware's network communications are distinctive due to its impersonation of an outdated SSH version.

OPENCTI LABELS :

fortigate,post-exploitation,shoe rack,remote shell,reverse ssh,dns-over-https,tcp tunnelling,firewalls


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


SHOE RACK: A post-exploitation tool for remote shell access & TCP tunnelling through a victim device