Keypoints
- Threat actors exploited CVE-2023-2868 in vulnerable Barracuda Email Security Gateway (ESG) versions to deploy backdoors.
- SEASPY is a persistent backdoor that masquerades as a Barracuda service and uses libpcap to sniff network traffic for a magic packet on TCP ports 25 and 587.
- When SEASPY detects its magic string it launches a TCP reverse shell to the attacker C2, allowing execution of arbitrary commands on the ESG appliance.
- WHIRLPOOL is a separate backdoor that receives C2 IP and port arguments and establishes a TLS-encrypted reverse shell to the operator-controlled server.
- Persistence is implemented via an initialization script that invokes “/sbin/BarracudaMailService eth0” (the SEASPY service) at boot/runlevel.
- CISA provided file artifacts and YARA rules (multiple SHA256s) for detection and hunting of these backdoors.
MITRE Techniques
- [T1040] Network Sniffing – SEASPY “uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587.” (‘uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587’)
- [T1036] Masquerading – SEASPY “masquerades as a legitimate Barracuda service ‘BarracudaMailService’.” (‘masquerades as a legitimate Barracuda service “BarracudaMailService”’)
- [T1573.002] Encrypted Channel: TLS – WHIRLPOOL “establishes a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server.” (‘establishes a Transport Layer Security (TLS) reverse shell to the Command-and-Control (C2) server’)
- [T1059] Command and Scripting Interpreter – Both backdoors enable remote arbitrary command execution on the compromised ESG appliance. (‘allows the threat actors to execute arbitrary commands on the ESG appliance.’)
- [T1543] Create or Modify System Process – Persistence via init script that runs “/sbin/BarracudaMailService eth0”, installing the backdoor as a system service. (‘/sbin/BarracudaMailService eth0’ is specified and started by the initialization script)
- [T1071] Application Layer Protocol – SEASPY uses SMTP-related ports (25 and 587) and inspects TCP packets as a covert C2 trigger channel. (‘monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587’)
Indicators of Compromise
- [SHA256] sample artifacts – 3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115 (BarracudaMailService.old), 83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c (rverify), and 2 more hashes.
- [File name] malicious binaries/scripts – BarracudaMailService.old (SEASPY executable masquerading as service), rverify (WHIRLPOOL binary).
- [Service name / init script] persistence – initialization script contains “/sbin/BarracudaMailService eth0” to auto-start SEASPY on boot.
- [Vulnerability] exploited CVE – CVE-2023-2868 used by threat actors to compromise Barracuda ESG devices.
- [Network ports] covert trigger / C2 channels – TCP port 25 (SMTP) and TCP port 587 used by SEASPY as the magic-packet trigger; WHIRLPOOL uses supplied C2 IP/port to create a TLS reverse shell.
SEASPY and WHIRLPOOL were deployed after exploitation of Barracuda Email Security Gateway via CVE-2023-2868. SEASPY is a 64-bit ELF backdoor that installs as a system service (named BarracudaMailService), uses libpcap to sniff SMTP-related traffic on TCP ports 25 and 587 for a hard-coded magic string (examples: “oXmp” or “TfuZ”), and when matched launches a TCP reverse shell to the operator C2 to execute arbitrary commands. Some SEASPY variants perform an authentication handshake prior to spawning the shell and are invoked with the command-line pattern “./BarracudaMailService ” (sample: “./BarracudaMailService eth0”).
WHIRLPOOL is a separate 32-bit ELF backdoor that receives a C2 IP address and port from a companion module and establishes a TLS-encrypted reverse shell to that C2 for remote access. Both families include YARA rules and multiple SHA256 artifacts provided by CISA for detection, and persistence is achieved via an initialization script that sets up services and calls “/sbin/BarracudaMailService eth0” so the backdoor starts automatically at runlevel.
Read more: https://www.cisa.gov/news-events/analysis-reports/ar23-221a