UNC4841 - Barracuda ESG Exploitation Indicators

calendar Oct 1, 2025 · attack.execution attack.persistence attack.defense-evasion detection.emerging-threats  ·
Share on: linkedin copy

Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.

Sigma rule (View on GitHub)

 1title: UNC4841 - Barracuda ESG Exploitation Indicators
 2id: 5627c337-a9b2-407a-a82d-5fd97035ff39
 3status: test
 4description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
 5references:
 6    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-06-16
 9modified: 2025-08-19
10tags:
11    - attack.execution
12    - attack.persistence
13    - attack.defense-evasion
14    - detection.emerging-threats
15logsource:
16    product: linux
17    category: file_event
18detection:
19    selection:
20        TargetFilename|endswith:
21            - '/11111.tar'
22            - '/aacore.sh'
23            - '/appcheck.sh'
24            - '/autoins'
25            - '/BarracudaMailService'
26            - '/etc/cron.daily/core_check.sh'
27            - '/etc/cron.daily/core.sh'
28            - '/etc/cron.hourly/aacore.sh'
29            - '/etc/cron.hourly/appcheck.sh'
30            - '/etc/cron.hourly/core.sh'
31            - '/get_fs_info.pl'
32            - '/imgdata.jpg'
33            - '/install_att_v2.tar'
34            - '/install_bvp74_auth.tar'
35            - '/install_helo.tar'
36            - '/install_reuse.tar'
37            - '/intent_helo'
38            - '/intent_reuse'
39            - '/intentbas'
40            # - '/mknod'
41            - '/mod_attachment.lua'
42            - '/mod_content.lua'
43            - '/mod_require_helo.lua'
44            - '/mod_rtf'
45            - '/mod_sender.lua'
46            - '/mod_udp.so'
47            - '/nfsd_stub.ko'
48            - '/resize_reisertab'
49            - '/resize_risertab'
50            - '/resize2fstab'
51            - '/rverify'
52            - '/saslautchd'
53            - '/sendscd'
54            - '/snapshot.tar'
55            - '/tmp/p'
56            - '/tmp/p7'
57            - '/tmp/t'
58            - '/update_v2.sh'
59            - '/update_v31.sh'
60            - '/update_v35.sh'
61            - '/update_version'
62    condition: selection
63falsepositives:
64    - Unlikely
65level: high

References

Related rules

to-top