SHOE RACK is a sophisticated post-exploitation malware tool developed using Go 1.18, designed primarily to facilitate remote shell access and TCP tunneling through compromised victim devices. The malware specifically targets FortiGate 100D series firewalls, which are widely used perimeter security devices. Upon infection, SHOE RACK connects to a hardcoded command-and-control (C2) server via a custom SSH server URL. To evade detection and improve resilience, it uses DNS-over-HTTPS (DoH) to resolve the IP address of its C2 server, thereby bypassing traditional DNS monitoring and filtering mechanisms. The malware supports multiple channel types, including a standard 'session' channel and a non-standard 'jump' channel that enables reverse-SSH tunneling. This capability allows threat actors to pivot from the compromised firewall into internal LAN networks, effectively bypassing perimeter defenses and expanding their foothold within the victim environment. Additionally, SHOE RACK offers TCP tunneling features, which further facilitate lateral movement and data exfiltration. While the malware implements some operational security measures to avoid detection, its network communications are distinguishable due to its impersonation of an outdated SSH version string, which can be used as a detection signature. Indicators of compromise include multiple file hashes and a domain (phcia.duckdns.org) associated with the C2 infrastructure. Although no known exploits are currently reported in the wild, the targeting of critical network infrastructure like FortiGate firewalls and the advanced tunneling capabilities make SHOE RACK a significant threat in post-exploitation scenarios.

For European organizations, the impact of SHOE RACK could be substantial, especially for those relying on FortiGate 100D firewalls to secure their network perimeters. Successful compromise of these devices would grant attackers persistent remote shell access, enabling them to execute arbitrary commands and establish covert communication channels. The ability to perform reverse-SSH tunneling and TCP tunneling means attackers can pivot into internal networks, potentially accessing sensitive data, disrupting services, or deploying additional malware. This lateral movement capability increases the risk of widespread network compromise, data breaches, and operational disruptions. Given that FortiGate firewalls are commonly deployed in critical infrastructure, government, finance, and enterprise sectors across Europe, the malware could facilitate espionage, sabotage, or ransomware attacks. The use of DNS-over-HTTPS for C2 resolution complicates detection and mitigation efforts, as traditional DNS monitoring tools may not capture this traffic. Overall, SHOE RACK poses a medium to high risk to confidentiality, integrity, and availability of affected networks, with potential cascading effects on business continuity and regulatory compliance under frameworks like GDPR.

1. Immediate patching and firmware updates: Ensure all FortiGate 100D firewalls are updated with the latest security patches and firmware versions provided by Fortinet to close any vulnerabilities that could be exploited for initial compromise. 2. Network segmentation: Implement strict network segmentation to limit the ability of attackers to pivot from perimeter devices into internal LANs. 3. Monitor SSH traffic anomalies: Deploy network monitoring tools capable of detecting unusual SSH version strings, especially those impersonating outdated versions, as this is a distinctive trait of SHOE RACK communications. 4. DNS-over-HTTPS monitoring: Utilize advanced network security solutions that can inspect and log DoH traffic or restrict DoH usage to trusted services to detect or block malicious C2 resolution attempts. 5. Harden firewall management interfaces: Restrict administrative access to FortiGate devices using multi-factor authentication (MFA), IP whitelisting, and VPNs to reduce the attack surface. 6. Incident response readiness: Prepare for potential post-exploitation scenarios by having forensic and remediation plans in place, including the ability to isolate compromised devices quickly. 7. Threat intelligence integration: Incorporate IoCs such as the provided file hashes and C2 domain into intrusion detection/prevention systems (IDS/IPS) and endpoint detection and response (EDR) tools for proactive detection. 8. Regular audits and penetration testing: Conduct frequent security assessments of firewall configurations and network defenses to identify and remediate weaknesses before exploitation.