ShadowV2: Self-Service DDoS Attacks Now Available
▼ Summary
– ShadowV2 is a DDoS botnet that infects misconfigured, internet-exposed Docker daemons on cloud instances like AWS.
– It operates as a DDoS-as-a-service platform, allowing customers to rent the botnet to launch their own attacks instead of the operators doing it themselves.
– The infection uses a Python script from GitHub CodeSpaces to create a generic container, customize it with attack tools, and deploy a live container with undetected malware.
– The malware uses a Go-based binary and the Fast HTTP library to launch high-performance HTTP flood attacks with various bypass mechanisms like HTTP2 rapid reset.
– The command-and-control platform features a user API with authentication and privilege levels, shifting detection focus to unusual Docker API calls and control plane behaviors.
A newly identified distributed denial-of-service (DDoS) botnet is actively compromising misconfigured Docker containers, introducing a concerning self-service model that allows customers to launch their own cyberattacks, according to cybersecurity firm Darktrace. Dubbed ShadowV2, this operation represents a significant evolution in cybercrime by leveraging legitimate development tools to create an accessible attack platform.
The threat breaks from conventional DDoS services through its use of a Python-based command-and-control infrastructure hosted on GitHub CodeSpaces. This setup combines traditional malware tactics with modern DevOps technologies. The infection process begins when a script hosted on CodeSpaces interacts with Docker daemons exposed on internet-accessible AWS cloud instances. Rather than pulling a pre-made image from Docker Hub, the attackers spawn a generic ‘setup’ container. They then install various tools inside it, create a new customized image, and deploy it as a live, malicious container.
This container functions as a wrapper for a Go-based binary that currently has no detections on VirusTotal. Analysis shows the malware initiates multiple threads using configurable HTTP clients built with Valyala’s Fast HTTP library, enabling it to execute high-performance HTTP flood attacks. The toolkit also incorporates several sophisticated bypass mechanisms, including HTTP2 rapid reset, spoofed forwarding headers with randomized IP addresses, and techniques to circumvent Cloudflare’s under-attack-mode (UAM) protection.
Although the C&C server itself is shielded by Cloudflare, Darktrace suspects it operates from GitHub CodeSpaces. A configuration error allowed researchers to access the server’s API documentation, revealing all available endpoints. The presence of a user API with authentication, tiered account privileges, and restrictions on attack types led investigators to conclude that ShadowV2 operates as a DDoS-as-a-service platform. This model enables customers to rent access to the infected botnet and conduct their own DDoS campaigns, rather than relying on the operators to launch attacks.
This hypothesis is supported by an endpoint that requires users to select which compromised systems to utilize in an attack. Another endpoint allows for the specification of hosts that should not be targeted. The existence of a full user interface and API transforms the botnet into a commercial-style platform. This shift means defenders must focus on behavioral indicators, such as anomalous Docker API calls, scripted container lifecycle events, and repetitive network traffic from short-lived nodes. Security professionals should view this threat as a product with a development roadmap, watching for modular upgrades, the abuse of legitimate cloud services, and evolving service models rather than treating it as a series of isolated incidents.
(Source: Security Week)
