Keypoints
- CISA obtained two SEASPY samples deployed against Barracuda Email Security Gateway versions affected by CVE-2023-2868.
- The malware installs as a system service named “BarracudaMailService” to maintain persistence and masquerade as legitimate software.
- SEASPY uses libpcap to sniff TCP traffic on SMTP ports (25 and 587) and looks for a hard-coded magic string (“oXmp”) in captured packets.
- When the magic packet is detected, the malware establishes a TCP reverse shell to a remote C2 server, allowing arbitrary command execution.
- Samples are 64-bit ELF (x86-64) binaries; CISA provided SHA256/MD5/SHA1 hashes and a YARA rule (CISA_10452108_01) for detection.
- One sample variant jumps directly to reverse shell code in start_pcap_listener, while the other contains an extra instruction sequence before invoking the reverse shell.
- Antivirus engines and the supplied YARA rule can detect these SEASPY variants using embedded strings and known hashes.
MITRE Techniques
- No MITRE ATT&CK techniques are explicitly mentioned in the article.
Indicators of Compromise
- [SHA256] SEASPY sample hashes – 3e21e547cf94cb07c010fe82d6965e5bd52dbdd9255b4dd164f64addfaa87abb, 69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192, and 2 more SHA256s referenced in the YARA rule.
- [MD5] sample MD5 hashes – 32ffe48d1a8ced49c53033eb65eff6f3, 5d6cba7909980a7b424b133fbac634ac.
- [Filenames/Service name] execution context – BarracudaMailService (executed as “./BarracudaMailService “), BarracudaMailService.1, BarracudaMailService.2.
- [Network ports] packet sniffing targets – TCP port 25 (SMTP), TCP port 587 (SMTP submission).
- [Hard-coded string] magic packet marker – “oXmp” (checked in captured TCP payloads to trigger reverse shell).
- [YARA rule] detection reference – CISA_10452108_01 (includes multiple SHA256s and specific embedded strings used for identification).
CISA’s analysis shows SEASPY is deployed as a persistent ELF service named “BarracudaMailService” on compromised Barracuda Email Security Gateway appliances (exploiting CVE-2023-2868). The binary is based on the open-source backdoor “cd00r” and is executed with a network-interface parameter (usage: “./BarracudaMailService “). Both provided samples are 64-bit x86-64 ELF files; notable sample SHA256s include 3e21e547cf94cb07c010fe82d6965e5bd52dbdd9255b4dd164f64addfaa87abb and 69935a1ce0240edf42dbe24535577140601bcf3226fa01e4481682f6de22d192.
At runtime, SEASPY uses libpcap to sniff traffic on the specified interface, filtering TCP packets on ports 25 and 587. The listener inspects packet payloads for a hard-coded magic string (“oXmp”); when the correct sequence is found, the malware initiates a TCP reverse shell connection to the attacker’s C2 server, enabling remote execution of arbitrary commands on the appliance. The core reverse-shell invocation is reached from a function named start_pcap_listener that triggers the reverse shell routine upon detecting the magic packet.
The two analyzed binaries share the same malicious capability but differ in implementation details within start_pcap_listener: one variant jumps directly to the reverse-shell routine while the other executes an additional instruction sequence before branching to the reverse shell. CISA published detection artifacts including YARA rule CISA_10452108_01 (containing multiple SHA256 values and identifying strings) and noted AV detections; defenders should use these indicators and monitor for the listed filenames, ports, and the magic string in network captures to detect or block SEASPY activity. Read more: https://www.cisa.gov/news-events/analysis-reports/ar23-209b