At the end of October, during a global disruption of AWS connections, FortiGuard Labs observed malware named “ShadowV2” spreading via IoT vulnerabilities. These incidents affected multiple countries worldwide and spanned seven different industries. To date, the malware appears to have been active only during the large-scale AWS outage. Researchers believe this activity was likely a test run conducted in preparation for future attacks. The following article provides a detailed analysis of these incidents and the ShadowV2 malware.
Incidents - Fortinet sensors detected active exploitation attempts linked to a Mirai-based botnet known as ShadowV2. This variant was propagated through multiple vulnerabilities identified and blocked by our Intrusion Prevention System (IPS). ShadowV2 had previously been observed targeting AWS EC2 instances in campaigns disclosed in September.[1]
Based on Fortinet's analysis, ShadowV2 was developed from the architecture of an existing Mirai variant and designed for IoT devices. It leveraged vulnerabilities affecting the following vendors’ products from 198[.]199[.]72[.]27.
DDWRT: CVE-2009-2765
D-Link: CVE-2020-25506, CVE-2022-37055, CVE-2024-10914, CVE-2024-10915
DigiEver: CVE-2023-52163
TBK: CVE-2024-3721
TP-Link: CVE-2024-53375
Figure 1: DDWRT exploit traffic via CVE-2009-2765
Figure 2: D-Link exploits traffic via CVE-2020-25506
Figure 3: DigiEver exploits traffic via CVE-2023-52163
Figure 4: TBK exploits traffic via CVE-2024-3721
Figure 5: TP-Link exploits traffic via CVE-2024-53375
The affected countries are distributed globally, including:
America: Canada, United States, Mexico, Brazil, Bolivia, Chile
Europe: United Kingdom, Netherlands, Belgium, France, Czechia, Austria, Italy, Croatia, Greece
Africa: Morocco, Egypt, South Africa
Asia: Turkey, Saudi Arabia, Russia, Kazakhstan, China, Thailand, Japan, Taiwan, Philippines
Oceania: Australia
Figure 6: Worldwide countries possibly affected by incidents
Within these countries, the compromised industries include technology, retail and hospitality, manufacturing, managed security services providers, government, telecommunication and carrier services, and education.
Malware Analysis - The attacker spreads a downloader script binary.sh by exploiting multiple vulnerabilities and delivers the “ShadowV2” malware, prefixed with “shadow,” from 81[.]88[.]18[.]108.
Figure 7: Downloader script binary.sh
ShadowV2 is structurally similar to the classic Mirai variant LZRD. It initializes a configuration encoded with XOR and its attack methods, and connects to a C2 server to receive commands that trigger DDoS attacks. The following analysis is based on the x86-64 (AMD64) build named shadow.x86_64.
It XOR-decodes its configurations using a single-byte key, 0x22. The decoded configurations contain file system paths, HTTP headers, and User-Agent strings.
Figure 8: XOR-encoded configuration
|
%””% |
lzrd cock fest |
/proc/ |
|
/exe |
(deleted) |
/fd |
|
.anime |
/status |
dvrHelper |
|
NiGGeR69xd |
1337SoraLOADER |
NiGGeRd0nks1337 |
|
X19I239124UIU |
IuYgujeIqn |
14Fa |
|
ccAD |
/proc/net/route |
/proc/cpuinfo |
|
BOGOMIPS |
/etc/rc.d/rc.local |
g1abc4dmo35hnp2lie0kjf |
|
/dev/watchdog |
/dev/misc/watchdog |
/dev/FTWDT101_watchdog |
|
/dev/netslink/ |
PRIVMSG |
GETLOCALIP |
|
KILLATTK |
Eats8 |
v[0v |
|
93OfjHZ2z |
GhostWuzHere666 |
WsGA4@F6F |
|
ACDB |
AbAd |
iaGv |
|
shell |
enable |
system |
|
sh |
/bin/busybox LZRD |
LZRD: applet not found |
|
ncorrect |
/bin/busybox ps |
/bin/busybox kill -9 |
|
TSource Engine Query |
/etc/resolv.conf |
nameserver |
|
Connection: keep-alive |
keep-alive |
setCookie(' |
|
refresh: |
location: |
set-cookie: |
|
content-length: |
transfer-encoding: |
chunked |
|
connection: |
server: dosarrest |
server: cloudflare-nginx |
|
assword |
ogin |
enter |
|
dkaowjfirhiad1j3edjkai |
Accept: text/html, application/xhtml+xml, application/xml;q=0.9, image/webp,*/*; |
Accept-Language: en-US,en;q=0.8 |
|
Content-Type: application/x-www-form-urlencoded |
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 |
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 |
|
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 |
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7 |
|
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0) |
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/4.0; GTB7.4; InfoPath.3; SV1; .NET CLR 3.4.53360; WOW64; en-US) |
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; FDM; MSIECrawler; Media Center PC 5.0) |
|
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 4.4.58799; WOW64; en-US) |
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts) |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0 |
|
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0 |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0 |
|
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 |
|
|
ShadowV2 first attempts to resolve C2 server domain - silverpath[.]shadowstresser[.]info, which should resolve to the IP address 81[.]88[.]18[.]108. If the domain cannot be resolved by DNS server 8.8.8.8, ShadowV2 falls back to directly connecting to the hardcoded C2 server IP address.
Figure 9: Establish a connection with the C2 server
While executing, the malware displays the string ShadowV2 Build v1.0.0 IoT version. Based on this string, Fortinet assesses that it may be the first version of ShadowV2 developed for IoT devices.
Figure 10: Display string while executing ShadowV2
The malware initializes its DDoS attack methods and allocates an attack function table.
Figure 11: Initialize DDoS attack methods
Figure 12: Initialize DDoS attack method "UDP flood"
ShadowV2 supports two transport-layer protocols (UDP and TCP) and the HTTP application protocol. Implemented attack methods including UDP floods, several TCP-based floods, and HTTP-level floods. The malware maps these behaviors to internal function names, such as UDP, UDP Plain, UDP Generic, UDP Custom, TCP, TCP SYN, TCP Generic, TCP ACK, TCP ACK STOMP, and HTTP.
It listens for commands from its C2 server and triggers DDoS attacks using the corresponding attack method ID and parameters.
Figure 13: Trigger DDoS attack methods
Conclusion - Our analysis of ShadowV2 reveals that IoT devices remain a weak link in the broader cybersecurity landscape. The evolution of ShadowV2 suggests a strategic shift in threat actors' targeting behavior toward IoT environments. This underscores the importance of maintaining timely firmware updates, enforcing robust security practices, and continuously monitoring relevant threat intelligence to strengthen overall situational awareness and ensure ecosystem resilience.
IOCs
Hosts
silverpath[.]shadowstresser[.]info
81[.]88[.]18[.]108
198[.]199[.]72[.]27
Files
Downloader
7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a
ShadowV2
0408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffe
dfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f83
6f1a5f394c57724a0f1ea517ae0f87f4724898154686e7bf64c6738f0c0fb7b6
5b5daeaa4a7e89f4a0422083968d44fdfe80e9a32f25a90bf023bca5b88d1e30
c0ac4e89e48e854b5ddbaef6b524e94cc86a76be0a7a8538bd3f8ea090d17fc2
499a9490102cc55e94f6a9c304eea86bbe968cff36b9ac4a8b7ff866b224739f
bb326e55eb712b6856ee7741357292789d1800d3c5a6be4f80e0cb1320f4df74
24ad77ed7fa9079c21357639b04a526ccc4767d2beddbd03074f3b2ef5db1b69
80ee2bf90545c0d539a45aa4817d0342ff6e79833e788094793b95f2221a3834
cb42ae74216d81e87ae0fd51faf939b43655fe0be6740ac72414aeb4cf1fecf2
22aa3c64c700f44b46f4b70ef79879d449cc42da9d1fe7bad66b3259b8b30518
c62f8130ef0b47172bc5ec3634b9d5d18dbb93f5b7e82265052b30d7e573eef3
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings
REDSHORTS - Weekly Cyber Intelligence Briefing
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.fortinet.com/blog/threat-research/shadowv2-casts-a-shadow-over-iot-devices/
Comments