October 3, 2023

Security researchers have discovered a third novel backdoor that was used in attacks on users of Barracuda ESG appliances recently.

The US CISA has released a new advisory detailing the malware, dubbed Whirlpool. It claimed the backdoor established a TLS reverse shell to a C2 server.

The malware takes two arguments from a module to establish a Transport Layer Security (TLS) reverse shell. The module that passes the arguments was not available for analysis.

The backdoor is one of several that UNC4841 has been using in its campaign. Mandiant’s initial report listed three that the company discovered when investigating the Barracuda attacks: “Seaspray,” “Seaside,” and “Saltwater.”


Seaspray is the threat group’s primary backdoor for the campaign, Saltwater is a module for Barracuda’s SMTP daemon that contains backdoor functionality, and Seaside is a Lua-based module for the Barracuda SMTP daemon.

This comes after a separate CISA update at the end of July in which the agency revealed a separate backdoor, dubbed “Submarine,” had also been used in the campaign. That one was described as “a novel persistent backdoor executed with root privileges.”

Security vendor Barracuda Networks took the unusual decision back in June to offer all users of its Email Security Gateway (ESG) appliance a replacement device, following the discovery of a sophisticated cyber-espionage campaign. The attacks exploited zero-day vulnerability, tracked as CVE-2023-2868, and had been ongoing since October 2022, the vendor claimed. 

Indicators of Compromise

  • 29a41174eb9a39e0ad712ed5063c561e9c2e1db1f8f6b04b2ca369a6efc3ac9b
  • 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115

Leave a Reply

%d bloggers like this: