SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.saltwater (Back to overview)

SALTWATER

According to Mandiant, SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabilities. The backdoor is implemented using hooks on the send, recv, close syscalls via the 3rd party kubo/funchook hooking library, and amounts to five components, most of which are referred to as "Channels" within the binary. In addition to providing backdoor and proxying capabilities, these components exhibit classic backdoor functionality.

References
2023-07-18MandiantMandiant Intelligence
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection
BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear
2023-06-15MandiantAustin Larsen, John Palmisano, John Wolfram, Mathew Potaczek, Matthew McWhirt
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
SALTWATER SEASPY UNC4841
Yara Rules
[TLP:WHITE] elf_saltwater_w0 (20230711 | Hunting rule looking for strings observed in SALTWATER samples.)
rule elf_saltwater_w0 {

    meta:
        author = "Mandiant"
        description = "Hunting rule looking for strings observed in SALTWATER samples."
        md5 = "827d507aa3bde0ef903ca5dec60cdec8"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.saltwater"
        malpedia_rule_date = "20230711"
        malpedia_hash = ""
        malpedia_version = "20230711"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s1 = { 71 75 69 74 0D 0A 00 00 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
        $s2 = { 00 8B D5 AD 93 B7 54 D5 00 33 8C 25 3D 9C 17 70 08 F9 0C 1A 41 71 55 36 1A 5C 4B 8D 29 7E 0D 78 }
        $s3 = { 71 75 69 74 0D 0A 00 00 00 12 8D 03 07 9C 17 92 08 F0 0C 9A 01 06 08 00 1A 0C 0B 8D 18 0A 0D 0A }

    condition:
        uint32(0) == 0x464c457f and any of them
}
[TLP:WHITE] elf_saltwater_w1 (20230711 | Hunting rule looking for strings observed in SALTWATER samples.)
rule elf_saltwater_w1 {

    meta:
        author = "Mandiant"
        description = "Hunting rule looking for strings observed in SALTWATER samples."
        md5 = "827d507aa3bde0ef903ca5dec60cdec8"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.saltwater"
        malpedia_rule_date = "20230711"
        malpedia_hash = ""
        malpedia_version = "20230711"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings:

        $c1 = "TunnelArgs"
        $c2 = "DownloadChannel"
        $c3 = "UploadChannel"
        $c4 = "ProxyChannel"
        $c5 = "ShellChannel"
        $c6 = "MyWriteAll"
        $c7 = "MyReadAll"
        $c8 = "Connected2Vps"
        $c9 = "CheckRemoteIp"
        $c10 = "GetFileSize"
        $s1 = "[-] error: popen failed"
        $s2 = "/home/product/code/config/ssl_engine_cert.pem"
        $s3 = "libbindshell.so"

    condition:
        uint32(0) == 0x464c457f and (any of ($s*) or 4 of ($c*))
}
Download all Yara Rules