Full Report
ShadowV2, a new Mirai-based botnet targeting IoT devices, surfaced during the recent AWS outage. FortiGuard Labs examines its propagation, DDoS capabilities, and global footprint.
Analysis Summary
# Tool/Technique: ShadowV2
## Overview
ShadowV2 is a new, active botnet variant based on the architecture of the Mirai malware, specifically resembling the LZRD variant. Its primary purpose is to compromise Internet of Things (IoT) devices globally to build a botnet, likely for launching Distributed Denial of Service (DDoS) attacks, as evidenced by its recent activity during a major AWS outage.
## Technical Details
- Type: Malware family (Botnet variant)
- Platform: Primarily targets IoT devices (including DD-WRT, D-Link, DigiEver, TBK, and TP-Link hardware). The specific build analyzed is x86-64 (AMD64).
- Capabilities: Exploits vulnerabilities for initial access, downloads secondary stages, receives commands from a C2 server, and executes DDoS attacks.
- First Seen: The activity described, involving an AWS outage, occurred in late October (implied 2025, based on article date).
## MITRE ATT&CK Mapping
*Note: Mapping is inferred based on observed actions (exploitation, C2 communication, DDoS).*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Inferred for C2 communication)
- **TA0008 - Lateral Movement** (Implied, as it spreads via multiple vulnerabilities)
- T1021 - Remote Services (If exploiting remote services via vulnerable protocols)
- **TA0019 - Command and Control**
- T1573 - Encrypted Channel (Inferred, configuration is obfuscated/encoded)
- **TA0003 - Persistence** (Implied for a botnet)
- T1543 - Create or Modify System Process
- T1543.003 - Windows Service (If targeting systems other than typical IoT firmware)
- (Likely modification of startup files common in embedded Linux/IoT)
## Functionality
### Core Capabilities
- **Initial Access:** Leverages an exploit delivery mechanism, spreading via a downloader script named `binary.sh`.
- **Propagation:** Exploits multiple known vulnerabilities across various IoT vendors, leveraging an IP (198[.]199[.]72[.]27) for initial exploitation traffic.
- **Configuration:** Initializes a XOR-encoded configuration using a single-byte key (`0x22`).
- **DDoS Execution:** Connects to a Command and Control (C2) server to receive instructions to initiate DDoS attacks.
### Advanced Features
- **Architecture Heritage:** Based on the established Mirai botnet architecture, specifically sharing structural similarities with the LZRD variant.
- **Obfuscation:** Uses XOR encoding for its configuration data, hiding embedded file system paths, HTTP headers, and User-Agent strings.
- **Targeted Exploitation:** Specifically targets known vulnerabilities across multiple vendors (DD-WRT, D-Link, DigiEver, TBK, TP-Link).
## Indicators of Compromise
- File Hashes (Partial List Provided):
- Downloader (`_Downloader_`): `7dfbf8cea45380cf936ffdac18c15ad91996d61add606684b0c30625c471ce6a`
- ShadowV2: Multiple hashes listed, including `0408d57c5ded5c79bf1c5b15dfde95547e17b81214dfc84538edcdbef4e61ffe`, `dfaf34b7879d1a6edd46d33e9b3ef07d51121026b8d883fdf8aced630eda2f83`, etc.
- File Names:
- Downloader script: `binary.sh`
- Malware binary prefix: `shadow`
- Configuration data components (decoded): `eats8`, `lzrd`, `NiGGeR69xd`, `/dev/watchdog`, etc.
- Registry Keys: [Not specified/applicable for typical IoT firmware]
- Network Indicators:
- Exploitation Source IP: `198[.]199[.]72[.]27`
- Download Source IP: `81[.]88[.]18[.]108`
- C2 Server/Domain: `silverpath[.]shadowstresser[.]info`
- Behavioral Indicators:
- Execution of `binary.sh` following vulnerability exploitation.
- Attempts to modify or interact with paths like `/proc/net/route`, `/proc/cpuinfo`, and potential startup scripts (`/etc/rc.d/rc.local`).
- Attempts to gain access to or check for watchdog devices (`/dev/watchdog`).
## Associated Threat Actors
- Not explicitly named, but the malware is a variant of the **Mirai** botnet family.
- The activity observed is treated as a "test run," suggesting the group behind it is preparing for larger attacks.
## Detection Methods
- Signature-based detection: FortiGuard IPS signatures are available for the exploited vulnerabilities (e.g., CVE-2009-2765, CVE-2020-25506).
- Behavioral detection: Detection of unusual process execution (`binary.sh`) or suspicious communication with known attacker IPs.
- FortiGuard Web Filtering Service blocks the identified C2 server.
- IP Reputation and Anti-Botnet Security Service proactively blocks source IPs.
## Mitigation Strategies
- **Patching/Updating:** Organizations must immediately patch or update vulnerable IoT devices/firmware listed (DD-WRT, D-Link, DigiEver, TBK, TP-Link).
- **Network Segmentation:** Isolate IoT environments from critical infrastructure.
- **Security Service Configuration:** Ensure Web Filtering and Anti-Botnet services are actively blocking known indicators.
- **Best Practices:** Organizations are encouraged to complete basic cybersecurity training (e.g., Fortinet FCF) to recognize initial attack vectors like phishing (though less relevant for automated IoT compromise, emphasizes broad security literacy).
## Related Tools/Techniques
- **Mirai:** ShadowV2 is based on the Mirai architecture.
- **LZRD:** ShadowV2 is structurally similar to this existing Mirai variant.
- **DDoS Botnets:** General category of tools used for large-scale denial of service attacks.