SEASPY (Malware Family)

SEASPY

According to CISA, this malware is a persistent backdoor that masquerades as a legitimate Barracuda Networks service. The malware is designed to listen to commands received from the Threat Actor’s Command-and-Control through TCP packets. When executed, the malware uses libpcap sniffer to monitor traffic for a magic packet on TCP port 25 (SMTP) and TCP port 587. It checks the network packet captured for a hard-coded string. When the right sequence of packet is captured, it establishes a TCP reverse shell to the C2 server for further exploitation. This allows the TA to execute arbitrary commands on the compromised system.
The malware is based on an open-source backdoor program named "cd00r".

References

2023-07-28 ⋅ CISA ⋅ CISA
CISA Releases Malware Analysis Reports on Barracuda Backdoors
SEASPY

2023-07-28 ⋅ CISA ⋅ CISA
MAR-10454006-r2.v1 SEASPY Backdoor
SEASPY

2023-07-18 ⋅ Mandiant ⋅ Mandiant Intelligence
Stealth Mode: Chinese Cyber Espionage Actors Continue to Evolve Tactics to Avoid Detection
BPFDoor SALTWATER SEASPY SideWalk ZuoRAT Daxin HyperBro HyperSSL Waterbear

2023-06-15 ⋅ Mandiant ⋅ Austin Larsen, John Palmisano, John Wolfram, Mathew Potaczek, Matthew McWhirt
Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China
SALTWATER SEASPY UNC4841

There is no Yara-Signature yet.

SEASPY Propose Change

References

SEASPY