Malware spotted on Barracuda email gateways

The need to replace Barracuda email gateways has taken on a new urgency, with America’s Computer and Infrastructure Security Agency (CISA) warning it has identified three malware variants planted on vulnerable devices.

Earlier this year, Barracuda advised that a remote code execution bug (CVE-2023-2868) in some of its email security gateways required affected devices to be replaced.

Some units clearly remain in service, and CISA has warned it has identified three malware variants it has spotted on Barracuda devices.

The first is a payload attackers use to drop and execute a reverse shell on the ESG appliance.

This was used to download a second backdoor, dubbed SEASPY, from the command and control (C2) server.

CISA described SEASPY as a passive, persistent backdoor masquerading as a legitimate Barracuda service, monitoring traffic from the C2 server. 

When the server sent a particular packet sequence, SEASPY established a TCP reverse shell to the C2 server, giving the threat actors the ability to execute arbitrary commands on the appliance.

CISA described the third malware variant, SUBMARINE, as a “novel persistent backdoor” that was planted in an SQL database on the appliance, and executed with root privileges.

“SUBMARINE comprises multiple artifacts—including a SQL trigger, shell scripts, and a loaded library for a Linux daemon—that together enable execution with root privileges, persistence, command and control, and cleanup,” CISA said.

“This malware poses a severe threat for lateral movement.”

The advisory includes compromise indicators, and YARA detection rules for all three malware variants.