UNC4841 - Email Exfiltration File Pattern

Aug 12, 2024 · attack.execution attack.persistence attack.defense-evasion detection.emerging-threats ·

Detects filename pattern of email related data used by UNC4841 for staging and exfiltration

Sigma rule (View on GitHub)

 1title: UNC4841 - Email Exfiltration File Pattern
 2id: 0785f462-60b0-4031-9ff4-b4f3a0ba589a
 3status: test
 4description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
 5references:
 6    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-06-16
 9tags:
10    - attack.execution
11    - attack.persistence
12    - attack.defense-evasion
13    - detection.emerging-threats
14logsource:
15    product: linux
16    category: file_event
17detection:
18    selection:
19        TargetFilename|re: '/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\.tar\.gz'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Google Cloud Blog

SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabil...

Read More

UNC4841 - Email Exfiltration File Pattern

Sigma rule (View on GitHub)

References

Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Google Cloud Blog

Related rules