The US Agency for Cybersecurity and Infrastructure Protection (CISA) has released details about a new backdoor known as Submarine, which was deployed as part of the hacking devices Barracuda Email Security Gateway (ESG).
Submarine consists of several artifacts, including the SQL trigger, shell scripts, and the Linux Demon’s loaded library. These components work together to ensure constant management, control, and cleaning, as well as the receipt of ROOT access.
Submarine, also known as DeptHChaRge, operates with ROOT privileges in the SQL database of the ESG device. It receives encrypted commands and conceals its responses within the SMTP traffic. CISA experts have analyzed artifacts associated with Submarine, including the compromised SQL database contents. These actions allow hackers to move laterally within the network.
Earlier, Barracuda Networks reported that a recently patched zero-day vulnerability in the Email Security Gateway (ESG) had been exploited by attackers since October 2022. The critical vulnerability, CVE-2023-2868 (CVSS: 9.8), was actively utilized for at least seven months before its discovery. It allowed unauthorized access to the ESG infrastructure and data theft.
Submarine is the fourth piece of malware that has been used in attacks on Barracuda ESG. The previous three backdoors, Saltwater, Seaspy, and Seaside, have been employed since October 2022 to exploit data.