{
	"id": "f7ba2b61-097c-4b49-8ac2-03925b37c622",
	"created_at": "2026-04-06T00:22:11.672925Z",
	"updated_at": "2026-04-10T03:21:09.713892Z",
	"deleted_at": null,
	"sha1_hash": "b43384b277e8e9c0a98f8984fee2d683ece81ef2",
	"title": "MAR-10454006.r5.v1 SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER Backdoors | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 722644,
	"plain_text": "MAR-10454006.r5.v1 SUBMARINE, SKIPJACK, SEASPRAY,\r\nWHIRLPOOL, and SALTWATER Backdoors | CISA\r\nPublished: 2023-09-07 · Archived: 2026-04-05 12:52:36 UTC\r\nNotification\r\nThis report is provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not\r\nprovide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial\r\nproduct or service referenced in this bulletin or otherwise.\r\nThis document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use\r\nTLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and\r\nprocedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without\r\nrestriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.\r\nSummary\r\nDescription\r\nCISA obtained five malware samples - including artifacts related to SUBMARINE, SKIPJACK, SEASPRAY,\r\nWHIRLPOOL, and SALTWATER backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a\r\nformer zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG).\r\nFor information about related malware, specifically information on the initial exploit payload, SEASPY backdoor,\r\nWHIRLPOOL backdoor, and the SUBMARINE backdoor, see CISA Alert: CISA Releases Malware Analysis Reports on\r\nBarracuda Backdoors.\r\nDownload the PDF version of this report:\r\nFor a downloadable copy of IOCs associated with this MAR in JSON format, see:\r\nSubmitted Files (5)\r\n4183edae732506a18b5c802cbf0a471a77c3f1e4336a32ccb4958671e404493c (machineecho_-n_Y2htb2QgK3ggL3J...)\r\n44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598 (mod_sender.lua)\r\n63788797919985d0e567cf9133ad2ab7a1c415e81598dc07c0bfa3a1566aeb90 (get_fs_info.pl)\r\n9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf (saslautchd)\r\ncaab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc (mod_rft.so)\r\nFindings\r\n4183edae732506a18b5c802cbf0a471a77c3f1e4336a32ccb4958671e404493c\r\nDetails\r\n--\u003e\r\nName machineecho_-n_Y2htb2QgK3ggL3Jvb3QvbWFjKgpzaCAvcm9vdC9tYWNoKlxgKgoK___base64_-d__sh_-slack\r\nSize 3894 bytes\r\nType data\r\nMD5 9fdc1dc99bc8184ee410880427dba89c\r\nSHA1 be570775552f937d8588bceb3e2cbb0c18408fc1\r\nSHA256 4183edae732506a18b5c802cbf0a471a77c3f1e4336a32ccb4958671e404493c\r\nSHA512 2bb94fdfe31a464c63b8cd726f6ba1c3b18da538221d5bae943dfb03ec353a41826bdcb007bc2b7dfeb76afe619aa8ce078808e9b30079a6f\r\nssdeep 3::\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 1 of 13\n\nEntropy 0.000000\r\nMalware\r\nResult\r\nunknown\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nNo matches found.\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis file is a SUBMARINE artifact, an empty text/data file. The name of the file is designed to exploit a vulnerability on the\r\ntarget environment where the base64 string within the file name will be executed on the Linux shell. The code in Figure 1\r\nwill change the permissions of any directory/file/path with that begins with '/root/mac' to executable. Then, anything\r\ncontaining the string 'mach*' in the directory/file/path '/root/mach' are executed.\r\nScreenshots\r\nFigure 1 - Figure 1 depicts the Base64 encoded, and decoded, name of the artifact.\r\n63788797919985d0e567cf9133ad2ab7a1c415e81598dc07c0bfa3a1566aeb90\r\nDetails\r\n--\u003e\r\nName get_fs_info.pl\r\nSize 530 bytes\r\nType Perl script text executable\r\nMD5 ad1dc51a66201689d442499f70b78dea\r\nSHA1 c71bccdc006cca700257a69ed227e0cb1bc071ed\r\nSHA256 63788797919985d0e567cf9133ad2ab7a1c415e81598dc07c0bfa3a1566aeb90\r\nSHA512 3258af057858ef0930a48771869871736bfb866ef740e81f2518c0d4c217b5c0c5f8eb06985b72a3762ce011458245940be6bb1d4907d2ed\r\nssdeep 12:HA4SKFBMygPZr7NBiC+c6jaY7PCbozFJG:thFBMZr7NBazjTzCbozG\r\nEntropy 4.638131\r\nMalware\r\nResult\r\nunknown\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 2 of 13\n\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nrule CISA_10454006_11 : trojan\r\n{\r\n   meta:\r\n       author = \"CISA Code \u0026 Media Analysis\"\r\n       incident = \"10454006\"\r\n       date = \"2023-07-20\"\r\n       last_modified = \"20230726_1700\"\r\n       actor = \"n/a\"\r\n       family = \"n/a\"\r\n       Capabilities = \"n/a\"\r\n       Malware_Type = \"trojan\"\r\n       Tool_Type = \"unknown\"\r\n       description = \"Detects perl script linked to SKIPJACK backdoor samples\"\r\n       SHA256 = \"63788797919985d0e567cf9133ad2ab7a1c415e81598dc07c0bfa3a1566aeb90\"\r\n   strings:\r\n       $s1 = { 2f 65 74 63 2f 66 73 74 61 62 2e 6d 61 69 6e }\r\n       $s2 = { 28 3c 46 53 54 41 42 3e 29 }\r\n       $s3 = { 6d 79 20 28 24 70 61 72 74 69 74 69 6f 6e 2c 20 24 66 73 5f 74 79 70 65 29 }\r\n       $s4 = { 70 72 69 6e 74 20 24 66 73 5f 74 79 70 65 }\r\n       $s5 = { 70 72 69 6e 74 20 24 70 61 72 74 69 74 69 6f 6e }\r\n   condition:\r\n       all of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis artifact, belonging to the SKIPJACK malware family, is a Perl script that enumerates file system information. This\r\nscript first checks the file system by opening '/etc/fstab.main/,' then checks the value against the array 'ARGV[0]', which perl\r\nautomatically provides to hold all values from the command line in. The script will print either 'xfs' or hda depending on the\r\ntype of file system it finds. The script contains a second if statement that gathers more information about the type of file\r\nsystem. This second if statement contains the regular expression '/^\\/dev\\/(\\S+)\\d+\\s+\\/\\s+(\\S+)/,' which translates to\r\n'/etc/fstab.' The script uses this second half of the code to check for file system type or information about the partition, which\r\nit then prints based on the value of '$requested_data.'\r\nScreenshots\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 3 of 13\n\nFigure 2 - Figure 2 depicts code contained in \"get_fs_info.pl.\"\r\n44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598\r\nDetails\r\n--\u003e\r\nName mod_sender.lua\r\nSize 3930 bytes\r\nType ASCII text\r\nMD5 666da297066a2596cacb13b3da9572bf\r\nSHA1 64b337d7e82c82a4b40c8cb88fbc651929995eef\r\nSHA256 44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598\r\nSHA512 4881a79d95bf83190be1542d7b26c7b1dee5eece1a689dc81bf2b661b43b3d724703dc4a48f824d8d960e2a480bcbea2e4007eb19023ee1b\r\nssdeep 96:JnJKszX3Z+p351GUw5FbsNmnwdx8sMEFoiKe3:JnJjzZ+j14FIEnqxjMEKQ\r\nEntropy 5.041616\r\nMalware\r\nResult\r\nunknown\r\nAntivirus\r\nNo matches found.\r\nYARA Rules\r\nrule CISA_10454006_12 : SEASPRAY trojan evades_av\r\n{\r\n   meta:\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 4 of 13\n\nauthor = \"CISA Code \u0026 Media Analysis\"\r\n       incident = \"10454006\"\r\n       date = \"2023-08-23\"\r\n       last_modified = \"20230905_1500\"\r\n       actor = \"n/a\"\r\n       family = \"SEASPRAY\"\r\n       capabilities = \"evades-av\"\r\n       malware_type = \"trojan\"\r\n       tool_type = \"unknown\"\r\n       description = \"Detects SEASPRAY samples\"\r\n       sha256 = \"44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598\"\r\n   strings:\r\n       $s1 = { 6f 73 2e 65 78 65 63 75 74 65 28 27 73 61 73 6c 61 75 74 63 68 64 27 }\r\n       $s2 = { 73 65 6e 64 65 72 }\r\n       $s3 = { 73 74 72 69 6e 67 2e 66 69 6e 64 }\r\n       $s4 = { 73 74 72 69 6e 67 2e 6c 6f 77 65 72 }\r\n       $s5 = { 62 6c 6f 63 6b 2f 61 63 63 65 70 74 }\r\n       $s6 = { 72 65 74 75 72 6e 20 41 63 74 69 6f 6e 2e 6e 65 77 7b }\r\n       $s7 = { 4c 69 73 74 65 6e 65 72 2e 6e 65 77 7b }\r\n   condition:\r\n       filesize \u003c 10KB and all of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\n44e1fbe71c... Used 9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf\r\nDescription\r\nThis artifact is a trojanized Lua module that has been identified as a \"SEASPRAY\" variant. SEASPRAY registers an event\r\nhandler for all incoming email attachments. This variant checks for the sender and the string “obt”, which is hard coded in\r\nthe lua file. If that string is found the malware uses os.execute to execute the file “saslautchd”, see Figure 3.\r\nScreenshots\r\nFigure 3 - This screenshot illustrates how the SEASPRAY filters traffic looking for the string \"obt\". Once that\r\nstring is received SEASPRAY uses os.execute to execute the file \"saslautchd\".\r\n9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf\r\nTags\r\ntrojan\r\nDetails\r\n--\u003e\r\nName saslautchd\r\nSize 5034648 bytes\r\nType\r\nELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=913db6f2f3c21bcb11e0fd02e2b88908b1\r\nGNU/Linux 3.2.0, stripped\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 5 of 13\n\nMD5 436587bad5e061a7e594f9971d89c468\r\nSHA1 cf22082532d4d6387ea1c9bc4dc5b255aa7a0290\r\nSHA256 9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf\r\nSHA512 825ba4c46f1f9c5a4f2ab3ccfd8e3ec02f50f749776df783a085aff89cb19ed983b07ecd0703c74a0474bec56e918ada002b683dec1228f181\r\nssdeep 98304:J8sPi2iUKJYO0OAgikIn9FCJM+rXKZ9ldvVkhyfMuG9vU:xVUildN0uX\r\nEntropy 6.384586\r\nMalware\r\nResult\r\nunknown\r\nAntivirus\r\nAntiy Trojan/Linux.SAgnt\r\nAvira LINUX/Whirlpool.A\r\nBitdefender Trojan.Generic.34035237\r\nEmsisoft Trojan.Generic.34035237 (B)\r\nESET Linux/WhirlPool.A trojan\r\nMcAfee Generic trojan.xj\r\nSophos Linux/Agnt-BS\r\nVarist E64/Agent.FP\r\nYARA Rules\r\nrule CISA_10452108_02 : WHIRLPOOL backdoor communicates_with_c2 installs_other_components\r\n{\r\n   meta:\r\n       author = \"CISA Code \u0026 Media Analysis\"\r\n       incident = \"10452108\"\r\n       date = \"2023-06-20\"\r\n       last_modified = \"20230804_1730\"\r\n       actor = \"n/a\"\r\n       family = \"WHIRLPOOL\"\r\n       Capabilities = \"communicates-with-c2 installs-other-components\"\r\n       Malware_Type = \"backdoor\"\r\n       Tool_Type = \"unknown\"\r\n       description = \"Detects malicious Linux WHIRLPOOL samples\"\r\n       sha256_1 = \"83ca636253fd1eb898b244855838e2281f257bbe8ead428b69528fc50b60ae9c\"\r\n       sha256_2 = \"8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347\"\r\n   strings:\r\n       $s0 = { 65 72 72 6f 72 20 2d 31 20 65 78 69 74 }\r\n       $s1 = { 63 72 65 61 74 65 20 73 6f 63 6b 65 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29\r\n}\r\n       $s2 = { c7 00 20 32 3e 26 66 c7 40 04 31 00 }\r\n       $a3 = { 70 6c 61 69 6e 5f 63 6f 6e 6e 65 63 74 }\r\n       $a4 = { 63 6f 6e 6e 65 63 74 20 65 72 72 6f 72 3a 20 25 73 28 65 72 72 6f 72 3a 20 25 64 29 }\r\n       $a5 = { 73 73 6c 5f 63 6f 6e 6e 65 63 74 }\r\n   condition:\r\n       uint32(0) == 0x464c457f and 4 of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nRelationships\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 6 of 13\n\n9f04525835... Used_By 44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598\r\nDescription\r\nThis artifact, belonging to the WHIRLPOOL malware family, is a 64-bit Linux Executable and Linkable Format (ELF) file.\r\nThe malware checks processor hardware and architecture, to include if the target system uses AMD or Intel, see Figure 4.\r\nFigure 5 shows the malware determining the kernel version by invoking the 'uname' command line function and exploring\r\nthe contents of the '/proc/sys/kernel/osrelease' file. Figures 6, 7, and 8 show the malware's capacity to connect to a remote\r\naddress, and then create a new process with the command line argument '/bin/sh.' The connection to a remote host and the\r\ninvocation of a bash shell are the two components/phases used by reverse shells. Figure 9 shows the malware's capacity to\r\ninteract with the Name Service Cache Daemon by creating and connecting to a Unix socket at ./var/run/nscd/socket.' This\r\nsocket can cache Domain Name System (DNS) requests. Rather than listening on port 53, it listens on the socket file itself,\r\nfor data from other programs/processes. Figure 10 shows the malware's capacity to perform DNS resolution, using the\r\nsystem call 'sys_getpeername.' The malware accesses the target's environment variables. See below list below:\r\n--Begin Accessed Environment Variables--\r\nGCONV_PATH\r\nGETCONF_DIR\r\nHTTPS_PROXY\r\nHTTP_PROXY\r\nLANG\r\nLANGUAGE\r\nLC_ALL\r\nLC_COLLATE\r\nLD_WARN\r\nLD_LIBRARY_PATH\r\nLD_BIND_NOW\r\nLD_BIND_NOT\r\nLD_DYNAMIC_WEAK\r\nLD_PROFILE_OUTPUT\r\nLD_ASSUME_KERNEL\r\nLOCALDOMAIN\r\nNO_PROXY\r\nOPENSSL_CONF\r\nOPENSSL_ia32cap\r\nOUTPUT_CHARSET\r\nPOSIX\r\nTZ\r\nTZDIR\r\nRESOLV_ADD_TRIM_DOMAINS\r\nRESOLV_HOST_CONF\r\nRESOLV_MULTI\r\nRESOLV_OVERRIDE_TRIM_DOMAINS\r\nRES_OPTIONS\r\nRESOLV_REORDER\r\n--End Accessed Environment Variables--\r\nThe malware further access the following files at runtime:\r\n--Begin Accessed Files--\r\n/etc/aliases\r\n/etc/ethers\r\n/etc/group\r\n/etc/hosts\r\n/etc/networks\r\n/etc/protocols\r\n/etc/passwd\r\n/etc/rpc\r\n/etc/services\r\n/etc/gshadow\r\n/etc/shadow\r\n/etc/netgroup\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 7 of 13\n\n/dev/full\r\n/dev/urandom\r\n/dev/random\r\n/proc/sys/kernel/rtsig-\r\n/proc/sys/kernel/ngroups_max\r\n/sys/devices/system/cpu/online\r\n/proc/stat\r\n/proc/self/fd\r\n-- End Accessed Files--\r\nScreenshots\r\nFigure 4 - Figure 4 depicts the use of the 'cpuid' assembly instruction and strings amalgamating to 'intel' and\r\n'AMD.'\r\nFigure 5 - Figure 5 depicts the 'uname' Linux OS command line function. This figure further depicts a call to\r\nfunctions that open and read the contents of the path '/proc/sys/kernel/osrelease/.'\r\nFigure 6 - Figure 6 depicts the creation of a socket that facilitates Internet Protocol Version 4 connections. It\r\nfurther depicts a connection to a remote address using the 'sys_connect' function.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 8 of 13\n\nFigure 7 - Figure 7 depicts the string 'sh -c /bin/sh' fed into the 'sys_execve' function as an argument.\r\nFigure 8 - Figure 8 depicts the string 'sh -c /bin/sh' fed into the 'sys_execve' function as an argument.\r\nFigure 9 - Figure 9 shows the malware's ability to interact with the Name Service Cache Daemon.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 9 of 13\n\nFigure 10 - Figure 10 depicts the Linux OS system call, 'sys_getpeername.'\r\ncaab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc\r\nTags\r\ntrojan\r\nDetails\r\n--\u003e\r\nName mod_rft.so\r\nSize 1668232 bytes\r\nType ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped\r\nMD5 4ec4ceda84c580054f191caa09916c68\r\nSHA1 6505513ca06db10b17f6d4792c30a53733309231\r\nSHA256 caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc\r\nSHA512 c61493cfa3c6c41520b6ef608da9398b4fa6a7805293bc98d628335f536509d95585d42f93b8edeabf971390e874c5291b552afe66d726518\r\nssdeep 24576:25gY/a9MQrLO457KIRTQvAunkEKkb8EHA4pje0ET1Nyb+YpYcNvwoQItHzUMDb:25b8y45V2IVEHASjezfYHwoDzUM\r\nEntropy 6.211061\r\nMalware\r\nResult\r\nunknown\r\nAntivirus\r\nAhnLab Malware/Linux.Agent\r\nAntiy Trojan/Linux.SaltWater.b\r\nBitdefender Trojan.Linux.Generic.313776\r\nEmsisoft Trojan.Linux.Generic.313776 (B)\r\nESET a variant of Linux/SaltWater.B trojan\r\nMcAfee Generic trojan.xj\r\nQuick Heal ELF.WhirlPool.48041.GC\r\nSophos Linux/Agnt-BS\r\nYARA Rules\r\nrule CISA_10454006_13 : SALTWATER backdoor exploit_kit communicates_with_c2 determines_c2_server\r\nhides_executing_code exploitation\r\n{\r\n   meta:\r\n       author = \"CISA Code \u0026 Media Analysis\"\r\n       incident = \"10454006\"\r\n       date = \"2023-08-10\"\r\n       last_modified = \"20230905_1500\"\r\n       actor = \"n/a\"\r\n       family = \"SALTWATER\"\r\n       capabilities = \"communicates-with-c2 determines-c2-server hides-executing-code\"\r\n       malware_type = \"backdoor exploit-kit\"\r\n       tool_type = \"exploitation\"\r\n       description = \"Detects SALTWATER samples\"\r\n       sha256 = \"caab341a35badbc65046bd02efa9ad2fe2671eb80ece0f2fa9cf70f5d7f4bedc\"\r\n   strings:\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 10 of 13\n\n$s1 = { 70 74 68 72 65 61 64 5f 63 72 65 61 74 65 }\r\n       $s2 = { 67 65 74 68 6f 73 74 62 79 6e 61 6d 65 }\r\n       $s3 = { 54 72 61 6d 70 6f 6c 69 6e 65 }\r\n       $s4 = { 64 73 65 6c 64 73 }\r\n       $s5 = { 25 30 38 78 20 28 25 30 32 64 29 20 25 2d 32 34 73 20 25 73 25 73 25 73 0a }\r\n       $s6 = { 45 6e 74 65 72 20 6f 75 73 63 64 6f 6f 65 7c 70 72 65 64 61 72 65 28 25 70 2c 20 25 70 2c 20 25 70 29\r\n}\r\n       $s7 = { 45 6e 74 65 72 20 61 75 74 63 63 6f 6f 71 38 63 72 65 61 74 65 }\r\n       $s8 = { 74 6e 6f 72 6f 74 65 63 74 6a 73 65 6d 6f 72 79 }\r\n       $s9 = { 56 55 43 4f 4d 49 53 53 }\r\n       $s10 = { 56 43 4f 4d 49 53 53 }\r\n       $s11 = { 55 43 4f 4d 49 53 44 }\r\n       $s12 = { 41 45 53 4b 45 59 47 45 4e 41 53 53 49 53 54 }\r\n       $s13 = { 46 55 43 4f 4d 50 50 }\r\n       $s14 = { 55 43 4f 4d 49 53 53 }\r\n   condition:\r\n       uint16(0) == 0x457f and filesize \u003c 1800KB and 8 of them\r\n}\r\nssdeep Matches\r\nNo matches found.\r\nDescription\r\nThis artifact, belonging to the SALTWATER malware family, is a 32-bit Linux Shared Object (.so) file. The malware can\r\nintake data over the network, using a previously established socket, with the 'recv' function as shown in Figure 11. Figure 12\r\nshows the malware creating a new thread, within the calling process. This is thread injection and it can inject two different\r\nfunctions. Figure 13 shows the first function that can perform DNS resolution. Figures 14 and 15 show the second function.\r\nThe second function can establish communications, over the network, using a TLS version 1 connection. Lastly, using\r\n'popen', the malware can execute any shell command with the same privileges as its calling process.\r\nScreenshots\r\nFigure 11 - Figure 11 depicts the 'recv' Berkeley Sockets function dynamically loaded and executed at\r\nruntime.\r\nFigure 12 - Figure 12 depicts the 'pthread_create' function.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 11 of 13\n\nFigure 13 - Figure 13 depicts multiple functions from the Berkley Sockets API.\r\nFigure 14 - Figure 14 depicts functions that facilitate Secure Sockets Layer (SSL) and TLS communications.\r\nFigure 15 - Figure 15 depicts the 'popen' function.\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 12 of 13\n\nRelationship Summary\r\n44e1fbe71c... Used 9f04525835f998d454ed68cfc7fcb6b0907f2130ae6c6ab7495d41aa36ad8ccf\r\n9f04525835... Used_By 44e1fbe71c9fcf9881230cb924987e0e615a7504c3c04d44ae157f07405e3598\r\nRecommendations\r\nCISA recommends that users and administrators consider using the following best practices to strengthen the security\r\nposture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators\r\nprior to implementation to avoid unwanted impacts.\r\nMaintain up-to-date antivirus signatures and engines.\r\nKeep operating system patches up-to-date.\r\nDisable File and Printer sharing services. If these services are required, use strong passwords or Active Directory\r\nauthentication.\r\nRestrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local\r\nadministrators group unless required.\r\nEnforce a strong password policy and implement regular password changes.\r\nExercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be\r\nknown.\r\nEnable a personal firewall on agency workstations, configured to deny unsolicited connection requests.\r\nDisable unnecessary services on agency workstations and servers.\r\nScan for and remove suspicious e-mail attachments; ensure the scanned attachment is its \"true file type\" (i.e., the\r\nextension matches the file header).\r\nMonitor users' web browsing habits; restrict access to sites with unfavorable content.\r\nExercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).\r\nScan all software downloaded from the Internet prior to executing.\r\nMaintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).\r\nAdditional information on malware incident prevention and handling can be found in National Institute of Standards and\r\nTechnology (NIST) Special Publication 800-83, \"Guide to Malware Incident Prevention \u0026 Handling for Desktops and\r\nLaptops\".\r\nContact Information\r\nDocument FAQ\r\nWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in\r\na timely manner. In most instances this report will provide initial indicators for computer and network defense. To request\r\nadditional analysis, please contact CISA and provide information regarding the level of desired analysis.\r\nWhat is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware\r\nanalysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide\r\ninformation regarding the level of desired analysis.\r\nCan I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to\r\nthis document should be directed to the CISA at contact@mail.cisa.dhs.gov or 1-844-Say-CISA.\r\nCan I submit malware to CISA? Malware samples can be submitted via three methods:\r\nWeb: https://malware.us-cert.gov\r\nE-Mail: submit@malware.us-cert.gov\r\nFTP: ftp.malware.us-cert.gov (anonymous)\r\nCISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software\r\nvulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.\r\nSource: https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nhttps://www.cisa.gov/news-events/analysis-reports/ar23-250a-0\r\nPage 13 of 13\n\n https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0   \nFigure 7-Figure 7 depicts the string 'sh-c /bin/sh' fed into the 'sys_execve' function as an argument.\nFigure 8-Figure 8 depicts the string 'sh-c /bin/sh' fed into the 'sys_execve' function as an argument.\nFigure 9-Figure 9 shows the malware's ability to interact with the Name Service Cache Daemon.\n  Page 9 of 13 \n\n https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0   \nFigure 13-Figure 13 depicts multiple functions from the Berkley Sockets API.\nFigure 14-Figure 14 depicts functions that facilitate Secure Sockets Layer (SSL) and TLS communications.\nFigure 15-Figure 15 depicts the 'popen' function.  \n  Page 12 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0"
	],
	"report_names": [
		"ar23-250a-0"
	],
	"threat_actors": [],
	"ts_created_at": 1775434931,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b43384b277e8e9c0a98f8984fee2d683ece81ef2.pdf",
		"text": "https://archive.orkl.eu/b43384b277e8e9c0a98f8984fee2d683ece81ef2.txt",
		"img": "https://archive.orkl.eu/b43384b277e8e9c0a98f8984fee2d683ece81ef2.jpg"
	}
}