UNC4841 - Email Exfiltration File Pattern

 1title: UNC4841 - Email Exfiltration File Pattern
 2id: 0785f462-60b0-4031-9ff4-b4f3a0ba589a
 3status: test
 4description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
 5references:
 6    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-06-16
 9tags:
10    - attack.execution
11    - attack.persistence
12    - detection.emerging-threats
13    - attack.stealth
14logsource:
15    product: linux
16    category: file_event
17detection:
18    selection:
19        TargetFilename|re: '/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\.tar\.gz'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

• Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Google Cloud Blog

  

  SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabil...

  
  Read More

Related rules

• APT27 - Emissary Panda Activity
• DLL Names Used By SVR For GraphicalProton Backdoor
• Diamond Sleet APT DLL Sideloading Indicators
• Exploiting SetupComplete.cmd CVE-2019-1378
• Lazarus APT DLL Sideloading Activity