Listen to this Post
The New Frontier of Firewall Exploits
A recently disclosed technical advisory from the UK’s National Cyber Security Centre (NCSC) has sent ripples through the cybersecurity community, revealing the presence of a stealthy and highly capable malware dubbed SHOE RACK. This malware, written in Go 1.18 and equipped with modern obfuscation techniques, specifically targets Fortinet firewall devices — a widely used line of network security tools. What makes SHOE RACK particularly dangerous is its use of DNS-over-HTTPS (DoH) and customized SSH protocols to sneak past traditional detection systems, essentially transforming a compromised device into a covert access gateway. This campaign demonstrates a highly strategic and technically advanced operation, capable of bypassing conventional cybersecurity defenses with precision.
SHOE RACK’s Technical Depth and Stealth Tactics
SHOE RACK is a striking example of how attackers are evolving by modifying open-source tools to serve nefarious purposes. Built on top of NHAS, a legitimate reverse SSH implementation in GoLang, the malware takes this benign foundation and adapts it into a stealthy attack mechanism. One of the first moves it makes is selecting a random public DNS resolver (like Google or Cloudflare) to disguise its communication and then uses DNS-over-HTTPS to reach its command and control (C2) domain phcia.duckdns.org. By encrypting this traffic and masking it as standard DNS queries, the malware evades most firewall-based content filtering.
After resolving the C2 domain, SHOE RACK escalates its tactics by creating a TCP/TLS tunnel, then upgrading it to an SSH connection that falsely presents an outdated version string (SSH-1.1.3) to further avoid detection. It doesn’t behave like normal SSH clients — instead of initiating connections, it quietly waits for remote commands, acting as a dormant client waiting for instructions. This allows it to stay hidden within normal network behavior patterns.
The malware introduces two types of SSH channels: a standard session channel, giving the attacker full shell access and file transfer capabilities, and a custom jump channel, which uses the existing connection to create a reverse SSH tunnel. This enables the attacker to bypass network defenses and move laterally through internal systems. Crucially, it doesn’t open new connections that could set off alarms — it simply piggybacks on the tunnel it’s already established.
Another key feature is its use of UPX packing, a method of compressing and obscuring the binary to make detection more difficult. The malware’s overall design points to a high degree of operational security and long-term persistence. The use of encrypted DNS, fake SSH fingerprints, and legitimate traffic patterns is a masterclass in cyber evasion, aimed at embedding deeply into corporate infrastructure.
The NCSC notes that while SHOE RACK is difficult to detect, it does leave behind unique network fingerprints, especially in its outdated SSH version advertisement and encrypted DNS behaviors. Organizations are urged to monitor network traffic for these rare patterns to identify potential infections. The malware’s indicators of compromise include specific domains, filenames, and cryptographic hashes that defenders can use for hunting.
What Undercode Say:
A New Benchmark for Firewall Intrusions
SHOE RACK isn’t just another piece of malware — it’s a tactical evolution in how adversaries compromise edge devices. Firewalls like Fortinet are generally assumed to be trusted guardians of the network perimeter, but this exploit flips that assumption. Instead of attacking from the outside-in, SHOE RACK burrows into the outer layer and pivots inward, quietly unlocking doors as it goes.
Leveraging Open-Source with Military Precision
By modifying open-source tools like NHAS, attackers avoid reinventing the wheel while gaining plausible deniability. SHOE RACK doesn’t do anything fundamentally new in concept, but it combines old tactics in a frighteningly modern package — encrypted DNS for stealth, old SSH strings for evasion, and embedded persistence for staying power. This hybrid approach makes detection extremely difficult without specialized tooling or behavioral analysis.
DNS-over-HTTPS as a Cover
The use of DNS-over-HTTPS is brilliant in its subtlety. Most organizations still don’t inspect encrypted DNS requests closely, so a request to phcia.duckdns.org looks like ordinary browsing behavior. This abuse of public infrastructure such as Google and Cloudflare puts defenders in a tricky spot — how do you block legitimate services without disrupting business operations?
SSH Subversion with Jump Channels
Traditional SSH-based attacks rely on brute-force or credential stuffing. SHOE RACK bypasses that entirely by using reverse tunneling and custom channels, letting the attacker control the network from within, without ever triggering perimeter security alarms. It’s a shift from direct hacking to invisible occupation, where the attacker becomes part of the internal architecture.
UPX Packing and Persistence
The use of both packed and unpacked versions of the malware — each with different hashes — shows the attacker’s attention to detail. UPX helps it evade static analysis tools, while the unpacked form is likely used for environments where deeper integration or debugging is required. Either way, SHOE RACK is built for long-term residence, not quick hits.
Detection Still Possible, But Difficult
Despite its evasiveness, SHOE RACK leaves some breadcrumbs. The outdated SSH version string and the reliance on specific DNS patterns create detectable anomalies. Security teams with advanced monitoring setups can still identify and contain it, but legacy systems and under-resourced organizations are highly vulnerable.
Why Fortinet?
The choice of Fortinet firewalls suggests the attacker is targeting mid-to-large enterprises and possibly managed service providers (MSPs). These firewalls are trusted, widely deployed, and sit at the perfect junction point for internal and external traffic — making them ideal launch pads for lateral movement.
Implications for Network Trust Models
SHOE RACK reinforces the need for Zero Trust models, where even perimeter devices are constantly verified. It also highlights the danger of assuming that edge devices are inherently secure. Attackers are now weaponizing trust, and that requires a rethink of current security architecture.
🔍 Fact Checker Results:
✅ The NCSC has officially documented SHOE RACK in their technical advisory
✅ The malware uses DNS-over-HTTPS and custom SSH protocols to evade detection
✅ Hashes and IOCs were publicly released for active threat hunting
📊 Prediction:
Expect to see more malware like SHOE RACK that blends encrypted DNS, SSH spoofing, and reverse tunneling. Attackers will increasingly rely on modular, open-source-based malware to silently control infrastructure. Defensive tools will need to evolve toward behavioral anomaly detection and encrypted traffic inspection if organizations hope to stay ahead. 🚨🛡️
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
