The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has identified a new backdoor malware, dubbed 'Whirlpool', utilized in attacks on compromised Barracuda Email Security Gateway (ESG) devices.
In May, Barracuda disclosed that a suspected pro-China hacker group, known as UNC4841, had breached its ESG appliances in data-theft attacks. The attackers exploited a zero-day vulnerability, CVE-2023-2868, a critical severity remote command injection vulnerability affecting Barracuda ESG versions 5.1.3.001 through 9.2.0.006.
The attacks, which began in October 2022, involved the installation of previously unknown malware named Saltwater and SeaSpy, as well as a malicious tool called SeaSide. These tools established reverse shells for straightforward remote access. Recognizing the severity of the attacks, Barracuda offered replacement devices to all impacted customers free of charge, suggesting the attacks were more harmful than initially believed.
CISA later provided additional details about another malware, Submariner, deployed in the attacks. Recently, CISA revealed the existence of yet another backdoor malware, 'Whirlpool', used in the attacks on Barracuda ESG devices. The identification of Whirlpool represents the third distinct backdoor used in the attacks, reinforcing Barracuda's decision to replace devices rather than remediate them with software updates.
"This artifact is a 32-bit ELF file that has been identified as a malware variant named 'WHIRLPOOL,'" CISA's updated Barracuda ESG malware report read. "The malware takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell."
The module that passes these arguments was not available for analysis. According to VirusTotal submissions, the Whirlpool malware seems to have run under the 'pd' process.
In late May 2023, Barracuda discovered SeaSpy on compromised ESG appliances. SeaSpy is a persistent passive backdoor that disguises itself as a legitimate service, 'BarracudaMailService', and executes commands on behalf of the threat actors.
In late July 2023, CISA alerted about another unknown backdoor, 'Submarine', found in breached Barracuda devices. Submarine resides in the ESG's SQL database, facilitating root access, persistence, and command and control communications.
Indicators of compromise and YARA rules that can help detect infections by the four newly discovered variants of SeaSpy and Whirlpool have been provided in a separate document. CISA urges anyone who identifies suspicious activity on their Barracuda ESG appliance or signs of compromise by any of the three mentioned backdoors to contact CISA's 24/7 Operations Center at 'email@example.com' to assist with their investigations.