On Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released information about a “unique persistent backdoor” named SUBMARINE, used by cybercriminals in association with the breach on Barracuda Email Security Gateway (ESG) appliances.
“SUBMARINE consists of multiple elements — encompassing a SQL trigger, shell scripts, and a loaded library for a Linux daemon — which together facilitate execution with root privileges, persistence, command and control, and cleanup,” stated the agency.
The revelations arise from an examination of malware samples retrieved from an anonymous organization that had been infiltrated by threat actors exploiting a severe vulnerability in ESG devices, CVE-2023-2868 (CVSS score: 9.8), which permits remote command injection.
Evidence assembled thus far indicates that the perpetrators behind the action, a presumed China nexus-actor tracked as UNC4841 by Mandiant, utilized the vulnerability as a zero-day in October 2022 to gain initial access to victim networks and installed backdoors to secure and maintain persistence.
In this respect, the infection chain entailed sending phishing emails with rigged TAR file attachments to prompt exploitation, resulting in the dispatch of a reverse shell payload to initiate communication with the cybercriminal’s command-and-control (C2) server, where a passive backdoor known as SEASPY is downloaded for executing arbitrary commands on the device.
SUBMARINE, alternatively codenamed DEPTHCHARGE by the Google-owned threat intelligence firm, is the latest malware family to be detected in association with the operation. Operated with root privileges, it exists in a Structured Query Language (SQL) database on the ESG appliance, and “receives encrypted commands and conceals its responses in SMTP traffic.”
It’s suspected to have been “deployed in reaction to remediation efforts,” reflecting Mandiant’s portrayal of the adversary as an aggressive actor capable of rapidly modifying their malware and utilizing additional persistence mechanisms in an effort to maintain their access.
The agency further mentioned it “examined artifacts related to SUBMARINE that contained the contents of the compromised SQL database,” and that it “poses a significant threat for lateral movement.”