The US Cybersecurity and Infrastructure Security Agency (CISA) has disclosed analysis reports on three malware families used in an attack leveraging a remote command injection vulnerability in Barracuda Email Security Gateway (ESG). The vulnerability, tracked as CVE-2023-2868, impacts versions 5.1.3.001 to 9.2.0.006 of the appliance and was exploited as a zero-day beginning in October 2022. The company Barracuda patched the bug in May 2023.
The attack was conducted by the Chinese state-sponsored cyberespionage group UNC4841. The group exploited the vulnerability to infiltrate victim networks, execute a reverse shell, and download custom backdoors for persistence. The identified malware families include SeaSpy, SaltWater, SeaSide, SandBar, and trojanized versions of legitimate Barracuda Lua modules, SeaSpray and SkipJack. The attacks targeted victims in at least 16 different countries, primarily involving government officials and high-profile academics. Over half of the affected organizations are located in the Americas.
On Friday, CISA released malware analysis reports detailing an exploit payload and backdoor, the SeaSpy backdoor, and Submarine, a persistent backdoor executed with root privileges. These have been used in at least one attack that exploited the Barracuda appliance. CISA states that it has obtained 14 malware samples representing 'Barracuda exploit payloads and reverse shell backdoors'.
The payload, delivered via a phishing email with a malicious attachment, triggers the command injection (CVE-2023-2868) to deploy and execute a reverse shell that establishes command-and-control (C&C) communication via OpenSSL and fetches the SeaSpy backdoor. The SeaSpy backdoor, posing as a legitimate Barracuda service, monitors traffic from the C&C for a command to establish a TCP reverse shell that gives the attackers command execution capabilities.
Submarine, according to CISA, is a unique persistent backdoor 'that lives in a Structured Query Language (SQL) database on the ESG appliance', providing attackers with lateral movement capabilities. 'Submarine comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together enable execution with root privileges, persistence, command-and-control, and cleanup,' the agency notes.
CISA's malware analysis reports also include indicators of compromise (IoCs) and YARA rules for detection in addition to technical information on the identified samples.