October 3, 2023

The U.S. CISA has alerted on a malware variant, tracked as SUBMARINE Backdoor, that was employed in attacks exploiting the flaw CVE-2023-2868 in Barracuda Email Security Gateway appliances.

The vulnerability CVE-2023-2868 resides in the module for email attachment screening. Threat actors exploited the flaw to obtain unauthorized access to a subset of ESG appliances and also used for lateral movement.

As a novel persistent backdoor, it has been executed with root privileges that live in a SQL database on the ESG appliance. SUBMARINE comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon that together to enable execution with root privileges, persistence, command and control, and cleanup.


Ealier in May 2023, Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.

In mid-June, Mandiant researchers linked the threat actor UNC4841 behind the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China.

The flaw has been exploited with incidents dating back to October 2022, at the very least. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances, allowing for persistent backdoor access.

 The set of families of malware employed in the attacks are:

  • SALTWATER – A malware-laced module for the Barracuda SMTP daemon (bsmtpd) that supports multiple capabilities such as uploading/downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic to avoid detection. The backdoor component is constructed by leveraging hooks on the send, recv, and close system calls, comprising a total of five distinct components referred to as “Channels” within the binary.
  • SEASPY – An x64 ELF persistent backdoor masquerades as a legitimate Barracuda Networks service and posing itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also supports backdoor functionality that is activated by a “magic packet”.
  • SEASIDE is a module written in Lua for bsmtpd, it establishes a reverse shell via SMTP HELO/EHLO commands sent via the malware’s C2 server.

Indicators of Compromise

  • 6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0
  • 81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab
  • 8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239
  • b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43
  • cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a
  • 2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5
  • bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a

Leave a Reply

%d bloggers like this: