CISA: New Whirlpool Backdoor Used in Barracuda ESG Campaign

Written by

Security researchers have discovered a third novel backdoor that was used in attacks on users of Barracuda ESG appliances recently.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new advisory detailing the malware, dubbed “Whirlpool.”

It claimed the backdoor established a TLS reverse shell to a command-and-control (C2) server.

“This artifact is a 32-bit ELF file that has been identified as a malware variant named ‘Whirlpool,’” the document noted.

“The malware takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell. The module that passes the arguments was not available for analysis.”

This comes after a separate CISA update at the end of July in which the agency revealed a separate backdoor, dubbed “Submarine,” had also been used in the campaign. That one was described as “a novel persistent backdoor executed with root privileges.”

Security vendor Barracuda Networks took the unusual decision back in June to offer all users of its Email Security Gateway (ESG) appliance a replacement device, following the discovery of a sophisticated cyber-espionage campaign.

Read more on the campaign: Barracuda Urges Swift Replacement of Vulnerable ESG Appliances

The attacks exploited zero-day vulnerability, tracked as CVE-2023-2868, and had been ongoing since October 2022, the vendor claimed.  

It was subsequently revealed by Mandiant that the threat actor was a likely Chinese APT group (UNC4841). Barracuda discovered the attacks on May 19 and patched the zero-day two days later, but the group switched malware and deployed new persistence mechanisms to maintain access.

It then upped the frequency of its attacks and targeted victims in 16 countries over the succeeding two days. That’s when Barracuda took the decision to urge all customers to replace their appliance.

The group also used malware known as Seaside as well as the previously undiscovered Saltwater and Seaspy variants in the attacks.

What’s hot on Infosecurity Magazine?