“SUBMARINE is a novel persistent backdoor that lives in a Structured Question Language (SQL) database on the ESG equipment,” CISA wrote on the time in its advisory. “SUBMARINE contains a number of artifacts that, in a multi-step course of, allow execution with root privileges, persistence, command and management, and cleanup.”
Mandiant refers to this implant as DEPTHCHARGE and launched extra particulars about the way it works in its new report this week. The malware is delivered as a Linux shared object library and is loaded into the Barracuda SMTP (BSMTP) daemon utilizing LD_PRELOAD.
The malware is deployed by way of a malicious set off inserted within the MySQL database that accommodates the configuration data for the Barracuda ESG equipment. This set off is activated each time a row is faraway from the configuration database which in response to Mandiant’s evaluation happens continuously throughout regular operation, in addition to when a configuration backup is restored. In different phrases, it is a persistence mechanism that additionally permits attackers to contaminate a brand new equipment if the configuration from the outdated one is imported into it and utilized.
The set off writes an installer script to a location on disk from encrypted code saved within the set off itself. Nonetheless, it will probably’t execute the payload. To attain execution the attackers used a novel method that includes utilizing a filename that will trigger different Barracuda code to execute it as a result of a two-argument type of Perl’s open( ) perform. This exhibits good information of the Barracuda codebase.
DEPTHCHARGE is a backdoor that may settle for incoming TCP connections but additionally listens for instructions that masquerade as SMTP instructions that begin with the string EHLO and are encrypted with AES-256. In keeping with Mandiant, this implant was deployed on 2.6% of compromised home equipment, together with these belonging to US and overseas authorities entities, in addition to excessive tech and knowledge expertise suppliers.
“It was frequent follow for impacted victims to export their configuration from compromised home equipment so it might be restored right into a clear one,” Mandiant warns. “Due to this fact, if the DEPTHCHARGE set off was current within the exported configuration, it could successfully allow UNC4841 to contaminate the clear machine with the DEPTHCHARGE backdoor by way of this execution chain, and doubtlessly keep entry even after full substitute of the equipment.”
