Keypoints
- CISA obtained five samples associated with SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER, linked to exploitation of CVE-2023-2868 against Barracuda ESG.
- The SUBMARINE artifact uses a specially crafted filename (base64-encoded) to trigger shell execution and change permissions, enabling command execution via the filename itself.
- The SKIPJACK sample (get_fs_info.pl) is a Perl script that enumerates filesystem and partition information by parsing /etc/fstab and printing requested partition data.
- SEASPRAY is a trojanized Lua module that registers an attachment handler, checks for a hard-coded string (‘obt’), and uses os.execute to run the helper executable ‘saslautchd’.
- WHIRLPOOL is a 64-bit ELF backdoor that performs CPU and kernel discovery, accesses many environment variables and system files, performs DNS resolution, connects to remote hosts, and spawns shells (reverse-shell behavior).
- SALTWATER is a 32-bit shared object that receives network data via recv, creates threads (thread injection), performs DNS resolution, establishes TLS v1 communications for C2, and can execute shell commands with popen.
- CISA published YARA rules and multiple SHA256 hashes for detection; relationships show SEASPRAY invoking saslautchd and that saslautchd is a WHIRLPOOL artifact.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Initial access via a Barracuda ESG vulnerability. (‘The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).’)
- [T1059.004] Command and Scripting Interpreter: Unix Shell – Malware spawns shells and executes commands via os.execute and execve, including execution from crafted filenames. (‘the base64 string within the file name will be executed on the Linux shell’ and ‘uses os.execute to execute the file “saslautchd”‘)
- [T1082] System Information Discovery – Samples enumerate system information such as CPU, kernel version, environment variables, and various /proc and /etc files. (‘The malware checks processor hardware and architecture… determining the kernel version by invoking the ‘uname’ command line function’ and ‘Begin Accessed Environment Variables’)
- [T1055] Process Injection – SALTWATER creates new threads within the calling process to inject and run functions (thread injection). (‘Figure 12 shows the malware creating a new thread, within the calling process. This is thread injection’)
- [T1573.001] Encrypted Channel: TLS – SALTWATER establishes encrypted communications to C2 using TLS v1. (‘the second function can establish communications, over the network, using a TLS version 1 connection.’)
- [T1071] Application Layer Protocol – Backdoors connect to remote hosts and implement reverse-shell behavior by creating sockets and invoking /bin/sh. (‘capacity to connect to a remote address, and then create a new process with the command line argument ‘/bin/sh’.’)
- [T1105] Ingress Tool Transfer – Components accept or receive payload data over existing network sockets using recv. (‘This artifact… can intake data over the network, using a previously established socket, with the ‘recv’ function’)
Indicators of Compromise
- [File Hashes] Submitted sample SHA256s – 4183edae732506a18b5c802cbf0a471a77c3f1e4336a32ccb4958671e404493c, 44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598, and 3 more hashes.
- [File Names] Malicious filenames observed – machineecho_-n_Y2htb2QgK3ggL3Jvb3QvbWFjKgpzaCAvcm9vdC9tYWNoKlxgKgoK___base64_-d__sh_-slack, get_fs_info.pl, mod_sender.lua, saslautchd, mod_rft.so.
- [Vulnerability] Exploited CVE – CVE-2023-2868 used to compromise Barracuda Email Security Gateway (ESG).
This technical summary focuses on the procedural behaviors and artifacts observed across the analyzed samples. The intrusion leveraged CVE-2023-2868 against Barracuda ESG to drop multiple components: a SUBMARINE artifact that embeds a base64 string in its filename to execute shell commands (it changes permissions and executes paths matching ‘/root/mach*’), a SKIPJACK Perl script (get_fs_info.pl) that parses /etc/fstab to enumerate filesystem and partition types, and a trojanized Lua module (mod_sender.lua / SEASPRAY) that registers an email-attachment handler, checks for a hard-coded marker (‘obt’), and calls os.execute to launch the helper executable (saslautchd).
The WHIRLPOOL ELF backdoor performs extensive environment and system discovery (CPU detection via cpuid, uname/kernel version checks, and reading many /etc and /proc files and environment variables), creates network sockets and connects to remote hosts, and spawns a shell (execve ‘sh -c /bin/sh’), implementing reverse-shell behavior and DNS resolution via sys_getpeername and interaction with the nscd Unix socket. The SALTWATER shared object accepts data over an existing socket using recv, creates threads (pthread_create) to inject and run functions (one for DNS resolution, another for C2 communication), establishes TLS v1 connections for encrypted C2, and can execute arbitrary shell commands via popen.
Detection and response artifacts provided include multiple SHA256 hashes, YARA rules for each family, and explicit relationships (SEASPRAY invokes saslautchd; saslautchd is associated with WHIRLPOOL). Defensive actions should focus on detection of the listed filenames/hashes, monitoring for unexpected use of os.execute/execve and /bin/sh spawning from network-facing services, socket-based recv activity and thread injection behaviors, and TLS-based C2 channels. Read more: https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0