The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has unveiled a new threat in the form of a backdoor malware named ‘Whirlpool,’ employed in targeted attacks against compromised Barracuda Email Security Gateway (ESG) devices. This discovery follows the revelation of a suspected pro-China hacker group breaching ESG appliances using a zero-day vulnerability. The attacks, which began in October 2022, involved deploying previously unknown malware variants like Saltwater and SeaSpy, as well as a malicious tool named SeaSide. Interestingly, instead of addressing the vulnerabilities through software updates, Barracuda opted to replace affected devices for customers at no cost, highlighting the severity of the situation.
CISA’s recent disclosure exposes the intricate layers of the threat landscape, with ‘Whirlpool’ serving as the third distinct backdoor used in these targeted attacks on Barracuda ESG.
The malware, identified as a 32-bit ELF file, establishes a Transport Layer Security (TLS) reverse shell using arguments derived from a module. Although the module itself remained elusive for analysis, the Whirlpool malware’s behavior was tracked under the ‘pd’ process, as per submissions to VirusTotal.
Earlier instances of compromised ESG appliances revealed ‘SeaSpy,’ a persistent passive backdoor posing as a legitimate service. Additionally, CISA highlighted another previously unknown backdoor named ‘Submarine,’ residing in the SQL database of ESG devices, granting root access, persistence, and command and control capabilities.
To help mitigate the risks posed by these backdoors, CISA provides indicators of compromise and YARA rules for detecting infections by newly identified SeaSpy and Whirlpool variants. Individuals detecting suspicious activity or signs of compromise are encouraged to reach out to CISA’s 24/7 Operations Center for assistance in their investigations.