Threat Research

MAR-10454006-r1.v2 SUBMARINE Backdoor | CISA

CISA

CISA analyzed seven samples of a novel Barracuda Email Security Gateway backdoor named SUBMARINE that persists in the appliance SQL database and preloads a shared object into the BSMTP daemon to execute commands with root privileges. The intrusion uses a malicious SQL trigger to drop and decode a base64 GZIP archive containing a loader and payload, then modifies system scripts to achieve persistence and remote command execution. #SUBMARINE #BarracudaESG

Keypoints

  • SUBMARINE is a persistent backdoor embedded as artifacts within the Barracuda ESG SQL database, deployed via a malicious SQL trigger named ‘cuda_trigger’.
  • The SQL trigger writes a base64-encoded GZIP archive to /var/tmp/r and executes a base64-encoded shell command that decodes and runs run.sh with nohup.
  • run.sh moves components to /boot/os_tools/, creates hw-set, and crafts a sed command to prepend LD_PRELOAD to the BSMTP daemon startup, enabling libutil.so to be loaded into bsmtpd memory.
  • libutil.so (the payload) is preloaded into the BSMTP daemon, obtains the BSMTP_ID, forks bsmtpd, opens local connections, and can decode, decrypt (AES-256-CBC), and execute received inputs.
  • The loader modifies smtpctl and update_version to ensure persistence and execution, and contains routines to remove forensic artifacts (mail files and /var/tmp contents).
  • Multiple artifacts and their hashes were submitted: config.TRG (SQL trigger), r (base64 GZIP), run.sh, hw-set, libutil.so, and a specially named base64-encoded shell script in /root used to trigger execution.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – SUBMARINE decodes and executes base64-encoded shell commands from the SQL trigger: ‘cat /var/tmp/r | base64 -d -i | tar -zx -C /var/tmp’ and ‘nohup bash /var/tmp/run.sh <BSMTP_ID> >/dev/null 2>&1 &’.
  • [T1105] Ingress Tool Transfer – A compressed, base64-encoded blob is written to ‘/var/tmp/r’ and, when decoded, yields ‘run.sh’ and ‘libutil.so’ for later execution: ‘a compressed, base64 encoded blob containing 2 files is written into a file called ‘r’ in the ‘/var/tmp’ directory’.
  • [T1547] Boot or Logon Autostart Execution – The malware creates and modifies boot/update scripts to run hw-set and persist execution: “system(‘/boot/os_tools/hw-set 2>&1 >/dev/null &’);” and inserts ‘sleep 2m’ in hw-set.
  • [T1574] Hijack Execution Flow – The loader modifies smtpctl to preload the shared object using LD_PRELOAD so ‘libutil.so’ runs in the BSMTP daemon: ‘BSMTP_ID=$1 LD_PRELOAD=$A exec’.
  • [T1071] Application Layer Protocol – The payload uses the BSMTP/SMTP context to receive encoded and encrypted commands and execute them, including the echoed command pipeline: ‘echo -n ‘%s’ | base64 -d | openssl aes-256-cbc -d -K 66833b26%d -iv 69822b6c%d 2>/dev/null | sh’ and ‘The malware opens a connection to 127.0.0.1’.

Indicators of Compromise

  • [SHA256 hashes] Submitted malware samples and artifacts – 81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab (libutil.so), 6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0 (r), and several other hashes.
  • [File names] Malicious filenames found in artifacts – config.TRG (malicious SQL trigger), run.sh (loader), hw-set (persistence script), smtpctl (modified mail control script).
  • [File paths] Installation and drop locations – /boot/os_tools/libutil.so, /var/tmp/r, /home/product/code/firmware/current/sbin/smtpctl (modified), and /var/tmp/run.sh.
  • [Domains/Strings] SMTP-related string used in payload – ‘250-mail2.eccentric.duck’ observed in payload strings (used in SMTP response formatting).
  • [Local IP] Local loopback connection used by payload – 127.0.0.1 opened by libutil.so during operation.

The technical procedure begins with a malicious SQL trigger (‘cuda_trigger’) stored in the ESG appliance SQL database. The trigger executes as root when specific database events occur, writing a compressed, base64-encoded blob to /var/tmp/r and then executing a base64-encoded command which decodes and extracts that blob into /var/tmp and launches run.sh via ‘nohup’, passing a BSMTP_ID and redirecting output to /dev/null. A separate artifact with a base64-encoded filename in /root contains equivalent commands designed to exploit filename-based execution to run the same decode-and-execute sequence.

run.sh relocates extracted components into /boot/os_tools/, prepares a base64-encoded sed command to insert an LD_PRELOAD invocation into the BSMTP startup (smtpctl), creates hw-set to run on boot/update, injects a call into update_version to execute hw-set in the background, sets executable permissions, and removes temporary files from /var/tmp to hinder discovery. When smtpctl is modified, it sets ‘BSMTP_ID’ and preloads /boot/os_tools/libutil.so into the bsmtpd process so the shared object gains the daemon’s privileges and executes whenever the mail daemon starts or restarts.

libutil.so implements the backdoor: it obtains BSMTP_ID from the environment, forks and launches processes, opens local sockets (127.0.0.1), and processes input from the BSMTP context. The code can accept Base64-encoded, AES-256-CBC-encrypted payloads delivered via SMTP, decrypt and decode them, then execute the resulting shell commands (the payload prints and runs commands such as ‘echo -n ‘%s’ | base64 -d | openssl aes-256-cbc -d -K … -iv … | sh’). The overall chain provides root-level execution, persistence via startup script modification, command-and-control over the mail daemon, and artifact cleanup routines to erase traces.

Read more: https://www.cisa.gov/news-events/analysis-reports/ar23-209a