SALTWATER is a backdoor used to exploit Barracuda’s CVE-2023-2868 0-day flaw, implemented as a bsmtpd module that hooks network functions to gain remote control. It enables command execution, file download/upload, proxying, and tunneling via a multi-channel C2 over TLS/SSL. #SALTWATER #Barracuda
Keypoints
- SALTWATER is a backdoor used in the exploitation of the Barracuda 0-day vulnerability CVE-2023-2868.
- The malware hooks the recv, send, and close functions using a hooking library (funchook) to intercept network communications.
- It implements multiple backdoor channels (ShellChannel, DownloadChannel, UploadChannel, ProxyChannel, TunnelArgs) to receive commands and exfiltrate data.
- A new thread (cc_worker/Connected2Vps) is spawned to contact a C2 infrastructure via OpenConnection (IP/port from the C2, resolved with gethostbyname/getaddrinfo).
- The malware can execute arbitrary commands on the infected device (popen/fgets), including shell command execution and output retrieval.
- It uses TLS/SSL for communications (TLS/SSL handshake with a Proxy server) and transmits data over an encrypted channel.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Barracuda 0-day CVE-2023-2868 exploited to install SALTWATER backdoor. “SALTWATER is a backdoor that has been used in the exploitation of the Barracuda 0-day vulnerability CVE-2023-2868.”
- [T1055] Process Injection – Hooks the recv, send, and close functions via funchook to intercept communications. “The malware hooked the recv, send, and close functions using an open-source hooking library called funchook.”
- [T1059] Command and Scripting Interpreter – Executes arbitrary commands on the infected device via shell channels (ShellChannel). “The server can specify a command that will be executed on the infected device:”
- [T1105] Ingress Tool Transfer – The malware handles downloading and uploading files (DownloadChannel/UploadChannel). “download and upload files” and “The remaining structure received from the C2 server called TRANSFILE has 20 bytes.”
- [T1090] Proxy – Uses a proxy channel and tunneling to route traffic. “Proxy functionality, and tunneling functionality” and “OpenConnection” to C2 infrastructure
- [T1573] Encrypted Channel – Establishes TLS/SSL communications for C2/Proxy traffic. “initiates the TLS/SSL handshake with the Proxy server”
- [T1041] Exfiltration – Exfiltrates data to C2 via SSL_write and related routines. “The malware sends 4 NULL bytes to the C2 server” and related data transfers
Indicators of Compromise
- [Hash] 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4 – SHA256 hash of the SALTWATER binary (SHA256: 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4)