Related Families: SKIPJACK, DEPTHCHARGE, FOXTROT, FOXGLOVE
Verticals Targeted: Government, Military, Defense, Aerospace, Technology, Telecommunications
UNC4841 was observed using CVE-2023-2868 to target entities in multiple verticals, including government and military.
- UNC4841 was observed using CVE-2023-2868 to target entities in multiple verticals, including government and military.
- The threat actors used the Barracuda ESG 0day (CVE-2023-2868) in this espionage campaign.
- Additional malware deployed on target systems included SKIPJACK, DEPTHCHARGE, and FOXTROT/FOXGLOVE.
- A small number of previously impacted victims may continue to be at risk.
Mandiant recently reported on UNC4841 activity targeting government, military, defense, aerospace, technology, and telecommunications entities. While the campaign affected targets worldwide, the highest number of targets were located in North America. Over one-quarter of the targets were government entities.
The threat actors used the Barracuda ESG 0day (CVE-2023-2868) in this campaign, which began as early as October 2022 and continued until at least June of this year. Once the targets were compromised, UNC4841 used their access to deploy malware and conduct post-exploitation activities. The threat actors managed to maintain persistence on target networks even after the entities thought the threat had been remediated.
Additional malware deployed on target systems included SKIPJACK, DEPTHCHARGE, and FOXTROT/FOXGLOVE. SKIPJACK is a passive implant that registers a listener to monitor incoming email. It masquerades as a legitimate Barracuda ESG module. DEPTHCHARGE, also known as SUBMARINE, is a passive backdoor that retrieves encrypted commands to execute and allows threat actors to maintain persistence. FOXTROT is a C++ implant launched using FOXGLOVE, a C-based program. FOXTROT communicates via TCP and is capable of capturing keystrokes, running shell commands, transferring files, and setting up a reverse shell. It appears to share similarities with Reptile, an open-source rootkit.
Mandiant stated a small number of previously impacted victims may continue to be at risk.
What is CVE-2023-2868?
CVE-2023-2868 is a remote command injection vulnerability in the Barracuda Email Security Gateway. It exists due to a failure to sanitize processing of a .tar file, as there is incomplete input validation of the user-supplied .tar file as it relates to the names of files within the archive. This allows a threat actor to specifically format file names to facilitate remote execution of a system command with the privileges of the Email Security Gateway product. Barracuda disclosed the vulnerability on May 30, 2023.
Who is UNC4841?
UNC4841 is an espionage-focused China nexus threat actor group. Their activity appears to overlap with other Chinese threat actor groups, including UNC2286 and UNC3886. UNC4841 appears to be a sophisticated threat actor and has demonstrated the ability to adapt to defensive efforts to maintain a foothold in the victim’s environment.
PolySwarm has multiple samples associated with this campaign.
You can use the following CLI command to search for all UNC4841 samples in our portal:
$ polyswarm link list -t UNC4841