Threat Research

Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) | Mandiant

GoogleCloudIntel

Mandiant details UNC4841’s exploitation of Barracuda ESG (CVE-2023-2868) and the actor’s post-remediation tooling designed to maintain and re-establish access at high-value victims. The report highlights selective deployment of SKIPJACK, DEPTHCHARGE, and FOXTROT/FOXGLOVE, plus techniques for persistence, C2 over mail/S MTP, and credential harvesting. #UNC4841 #DEPTHCHARGE

Keypoints

  • UNC4841 exploited CVE-2023-2868 in Barracuda ESG appliances to gain initial access and then selectively deployed tailored backdoors to high-priority targets.
  • SKIPJACK trojanized Barracuda Lua modules to register listeners in email headers (e.g., Content-ID) that AES-decrypt and execute Base64-encoded payloads.
  • DEPTHCHARGE was deployed as a Linux shared object preloaded into the BSMTP daemon (LD_PRELOAD) via a crafted MySQL trigger that writes and launches an installer archive.
  • FOXTROT/FOXGLOVE consist of a configurable C++ backdoor and a C launcher enabling proxying, shell execution, keystroke capture, and file transfer; they were used very selectively at government/high-priority targets.
  • UNC4841 performed internal reconnaissance (fscan), harvested plaintext credentials from ESG message stores (mstore), and used those credentials for OWA and SSH-based lateral movement.
  • Persistence techniques included modifying SMTP configuration for pre-loading, MySQL trigger-based installers enabling infection of restored configs, timestomping files, and creating accounts with sshd listening on high ports.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – UNC4841 exploited Barracuda ESG vulnerability CVE-2023-2868 to gain access (‘CVE-2023-2868’).
  • [T1574] Hijack Execution Flow – DEPTHCHARGE is “packaged as a Linux shared object library, which is pre-loaded into the Barracuda SMTP (BSMTP) daemon using LD_PRELOAD” (‘pre-loaded into the Barracuda SMTP (BSMTP) daemon using LD_PRELOAD’).
  • [T1071.003] Application Layer Protocol: Mail Protocols – Actors received and sent commands “masqueraded as SMTP commands” and used “SMTP EHLO” for encrypted C2 traffic (‘encrypted commands that masquerade as SMTP EHLO commands’).
  • [T1046] Network Service Discovery – UNC4841 used “open-source tools such as fscan to perform host detection, port scanning, web fingerprint identification” for internal reconnaissance (‘open-source tools such as fscan to perform host detection, port scanning’).
  • [T1021.004] Remote Services: SSH – The actor spawned sshd and used SSH for lateral access (example command ‘/usr/sbin/sshd -p 48645 -oAllowUsers=rfvN’).
  • [T1078] Valid Accounts – UNC4841 used harvested credentials to access accounts via Outlook Web Access “on the first attempt” (‘used to successfully access the account through Outlook Web Access (OWA) on the first attempt’).
  • [T1081] Credentials in Files – Mandiant observed “cleartext credentials contained within the contents of messages stored on the ESG” that were harvested for access (‘cleartext credentials contained within the contents of messages stored on the ESG’).
  • [T1543] Create or Modify System Process – The DEPTHCHARGE installer “modif[ies] the SMTP configuration file to pre-load the malware with the given BSMTP_ID configuration value” to persist across daemon restarts (‘modify the SMTP configuration file to pre-load the malware’).
  • [T1027] Obfuscated Files or Information – Commands and payloads were AES-256 encrypted and Base64 encoded before being executed (‘AES-256 decrypt and Base64 decode the header body’).
  • [T1036] Masquerading – DEPTHCHARGE and other tooling disguised C2 and results as legitimate SMTP traffic (“masqueraded as SMTP traffic”) to blend with normal communications (‘masqueraded as SMTP traffic’).

Indicators of Compromise

  • [IP Address] C2 / infrastructure examples – 101.229.146.218 (China Telecom CN), 104.156.229.226 (Choopa, LLC US), and many others listed in the report.
  • [Domain] C2 and mail domains – bestfindthetruth[.]com, mx01.bestfindthetruth[.]com (mail/C2 infrastructure and subdomains used by the actor).
  • [File Hash / MD5] Host artifacts – b745626b36b841ed03eddfb08e6bb061 (libutil.so — DEPTHCHARGE), d81263e6872cc805e6cf4ca05d86df4e (mod_content.lua — SKIPJACK), and numerous other hashes in the report.
  • [Filename] Installed/malicious files – mod_content.lua (SKIPJACK backdoor injection), libutil.so (DEPTHCHARGE shared object), run.sh (DEPTHCHARGE installer), and mknod (SKIPJACK installer script).

UNC4841 exploited the Barracuda ESG TAR vulnerability (CVE-2023-2868) to write malicious archives and scripts to appliance filesystems. Initial exploitation commonly placed TAR archives and installer scripts (e.g., snapshot.tar, install_bvp74_auth.tar) and created bash installers such as mknod or run.sh under /boot/os_tools/ or /var/tmp; these scripts injected malicious Lua into mod_content.lua to create SKIPJACK backdoors that inspect specific email headers (Content-ID or X-Barracuda-Spam-Info), AES-decrypt and Base64-decode header bodies, and pipe decoded content to a shell for execution. UNC4841 also left MySQL-trigger-based payloads (config.TRG triggers) that write Base64 payloads to /var/tmp/r and use crafted filenames and the codebase’s Perl two-argument open() behavior to achieve command execution from the trigger during configuration restore.

For persistence and stealth, the actor deployed DEPTHCHARGE as a Linux shared object (libutil.so) preloaded into the BSMTP daemon via LD_PRELOAD; DEPTHCHARGE listens for TCP connections whose source port matches a BSMTP_ID, retrieves the local SMTP banner, accepts Base64/AES-encrypted commands disguised as SMTP EHLO traffic, executes them, and returns results as SMTP replies. FOXTROT (C++ backdoor) and FOXGLOVE (C launcher) were used only at high-value targets: FOXGLOVE decrypts encrypted runtime parameters (C2, port, secret, jitter) and launches FOXTROT, which supports proxying, keystroke capture, reverse shells and file transfer. Installer scripts included timestomping and checks to reinstall pre-load persistence and were designed to survive appliance replacement by embedding triggers in exported configurations so restored appliances would re-infect.

Post-exploitation activity shows internal reconnaissance (fscan port and web fingerprint scanning), credential harvesting from ESG message stores (mstore) where cleartext credentials were found, and lateral movement via OWA (valid-account logins) and SSH (spawned sshd listening on high ports with randomly named accounts). Detection and response focus points include the listed IPs/domains, the specific file names and hashes (mod_content.lua, libutil.so, run.sh, mknod), YARA rules for SKIPJACK/DEPTHCHARGE/FOXTROT/FOXGLOVE provided in the report, and hunting for MySQL triggers and modified BSMTP configurations that enable LD_PRELOAD persistence.

Read more: https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-remediation