“SUBMARINE is a novel persistent backdoor that lives in a Structured Query Language (SQL) database on the ESG appliance,” CISA wrote at the time in its advisory. “SUBMARINE comprises multiple artifacts that, in a multi-step process, enable execution with root privileges, persistence, command and control, and cleanup.”
Mandiant refers to this implant as DEPTHCHARGE and released more details about how it works in its new report this week. The malware is delivered as a Linux shared object library and is loaded into the Barracuda SMTP (BSMTP) daemon using LD_PRELOAD.
The malware is deployed through a malicious trigger inserted in the MySQL database that contains the configuration information for the Barracuda ESG appliance. This trigger is activated every time a row is removed from the configuration database which according to Mandiant’s analysis occurs frequently during normal operation, as well as when a configuration backup is restored. In other words, this is a persistence mechanism that also allows attackers to infect a new appliance if the configuration from the old one is imported into it and applied.
The trigger writes an installer script to a location on disk from encrypted code stored in the trigger itself. However, it can’t execute the payload. To achieve execution the attackers used a novel technique that involves using a filename that would cause other Barracuda code to execute it due to a two-argument form of Perl’s open( ) function. This shows good knowledge of the Barracuda codebase.
DEPTHCHARGE is a backdoor that can accept incoming TCP connections but also listens for commands that masquerade as SMTP commands that start with the string EHLO and are encrypted with AES-256. According to Mandiant, this implant was deployed on 2.6% of compromised appliances, including those belonging to US and foreign government entities, as well as high tech and information technology providers.
“It was common practice for impacted victims to export their configuration from compromised appliances so it could be restored into a clean one,” Mandiant warns. “Therefore, if the DEPTHCHARGE trigger was present in the exported configuration, it would effectively enable UNC4841 to infect the clean device with the DEPTHCHARGE backdoor through this execution chain, and potentially maintain access even after complete replacement of the appliance.”
