A Chinese cyberespionage group hacked Barracuda Email Security Gateway (ESG) appliances through a zero-day vulnerability until May. They have now rushed to deploy new malware implants on victims’ devices once the attack was discovered and remediation efforts started. The group is tracked as UNC4841, and based on its target selection and espionage focus, it’s suspected to serve the interests of the Chinese government.
“UNC4841 has continued to show sophistication and adaptability in response to remediation efforts,” researchers from Google-owned incident response firm Mandiant said in a new report. “UNC4841’s deployment select backdoors suggests this threat actor anticipated, and prepared for remediation efforts, by creating tooling in advance to remain embedded in high-value targets, should the campaign be compromised.”
An eight-month long cyberespionage campaign
UNC4841 started compromising Barracuda ESG devices globally in November 2022 through an unknown — at the time — remote command injection vulnerability that is now tracked as CVE-2023-2868. The flaw was identified on May 19 and was patched on May 30, but the attack was so sophisticated that Barracuda Networks, Mandiant and the FBI advised impacted customers to replace their devices.
The flaw was located in the ESG code that inspected attachments in the TAR archive format, so attackers sent specially crafted emails to select organizations that used vulnerable appliances knowing that the emails will be scanned and the exploit will execute. It’s estimated that 5% of Barracuda ESG appliances were exploited, but this means a lot of organizations across many countries. A third of the victims were local and national government entities — many from countries or regions where China has geopolitical interests — supporting the belief that the main goal was espionage.
The group used its access to deploy a variety of backdoors and tools, some of which involved trojanizing legitimate Lua modules that already existed on Barracuda ESG devices. Some of these implants were dubbed SALTWATER, SEASPY, SEASIDE, and WHIRLPOOL by Mandiant in June.
Three new Barracuda malware implants
As soon as Barracuda announced the vulnerability’s existence publicly and organizations started remediation efforts, the attackers began deploying an additional implant on some appliances belonging to select victims. The US Cybersecurity and Infrastructure Security Agency (CISA) warned about this implant that it dubbed SUBMARINE in July.
“SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance,” CISA wrote at the time in its advisory. “SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup.”
Mandiant refers to this implant as DEPTHCHARGE and released more details about how it works in its new report this week. The malware is delivered as a Linux shared object library and is loaded into the Barracuda SMTP (BSMTP) daemon using LD_PRELOAD.
The malware is deployed through a malicious trigger inserted in the MySQL database that contains the configuration information for the Barracuda ESG appliance. This trigger is activated every time a row is removed from the configuration database which according to Mandiant’s analysis occurs frequently during normal operation, as well as when a configuration backup is restored. In other words, this is a persistence mechanism that also allows attackers to infect a new appliance if the configuration from the old one is imported into it and applied.
The trigger writes an installer script to a location on disk from encrypted code stored in the trigger itself. However, it can’t execute the payload. To achieve execution the attackers used a novel technique that involves using a filename that would cause other Barracuda code to execute it due to a two-argument form of Perl’s open( ) function. This shows good knowledge of the Barracuda codebase.
DEPTHCHARGE is a backdoor that can accept incoming TCP connections but also listens for commands that masquerade as SMTP commands that start with the string EHLO and are encrypted with AES-256. According to Mandiant, this implant was deployed on 2.6% of compromised appliances, including those belonging to US and foreign government entities, as well as high tech and information technology providers.
“It was common practice for impacted victims to export their configuration from compromised appliances so it could be restored into a clean one,” Mandiant warns. “Therefore, if the DEPTHCHARGE trigger was present in the exported configuration, it would effectively enable UNC4841 to infect the clean device with the DEPTHCHARGE backdoor through this execution chain, and potentially maintain access even after complete replacement of the appliance.”
Mandiant and Barracuda Networks identified cases where this might have happened and notified those victims. Additionally, the attackers harvested credentials from the MySQL configuration database and used them for lateral movement.
Yet another implant that incident responders saw UNC4841 deploy on select victims after the vulnerability became public is called SKIPJACK. This is another passive backdoor that listens for commands sent via specially crafted emails, particularly via the Content-ID and X-Barracuda-Spam-Info email header fields.
SKIPJACK is deployed by injecting malicious Lua code into a legitimate Barracuda ESG module called mod_content.lua. The implant was deployed on 5.8% of compromised appliances and selected victims included primarily government and technology organizations, but also targets from the military, defense, aerospace, and telecom sectors.
The final new implant observed on some victim devices is called FOXTROT. This is a backdoor written in C++ that listens for TCP connections and can act as a proxy. It can capture keystrokes, execute shell commands, open reverse shells, and transfer files.
What’s interesting is that unlike DEPTHCHARGE and SKIPJACK, FOXTROT does not appear designed for Barracuda ESG appliances but for any Linux system. It was probably part of UNC4841’s arsenal already and used in other operations. Its code has some overlap with an open-source tool called REPTILE.
FOXTROT is deployed on systems through a simple launcher written in C that uses Base64, Mod(13) and XOR with a hard-coded key to encrypt execution arguments for FOXTROT. The Mandiant researchers dubbed this launcher FOXGLOVE. The FOXGLOVE and FOXTROT combination was the least used one by UNC4841 on Barracuda ESG victims. It was deployed primarily on appliances at government related organizations that were high priority targets for the Chinese government.
Lateral movement after compromise
Mandiant Incident responders have also seen UNC4841 attempt to move laterally inside networks to maintain their access if victims replaced their compromised Barracuda appliances. This included network reconnaissance activity with open-source tools such as fscan and using the harvested credentials from Barracuda ESG configurations to access other systems via Active Directory, SSH, VPNs, Proxy servers and Outlook Web Access (OWA).
The attackers tried to access mailboxes via OWA but did not perform any malicious action inside, highlighting yet again that their goal was likely espionage. On some compromised appliances the attackers added new users to the /etc/passwd file to maintain backdoor access via SSH in addition to the access provided by the malware implants.
“Organizations that received these post-remediation malware families were weighted towards government (national), high tech, and information technology sectors,” Mandiant said. “This may suggest a threat actor prioritization towards conventional espionage targets and maintaining access to IT and managed service providers.”
In response to Mandiant’s report, CISA also issued an updated list of indicators of compromise to include the newly identified implants.