UNC4841 - Download Compressed Files From Temp.sh Using Wget

 1title: UNC4841 - Download Compressed Files From Temp.sh Using Wget
 2id: 60d050c4-e253-4d9a-b673-5ac100cfddfb
 3status: test
 4description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
 5references:
 6    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/06/16
 9tags:
10    - attack.defense_evasion
11    - attack.t1140
12    - detection.emerging_threats
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        Image|endswith: '/wget'
19        CommandLine|contains: 'https://temp.sh/'
20        CommandLine|endswith:
21            - '.rar'
22            - '.zip'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

• Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant

  

  On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that the...

  
  Read More

Related rules

• UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
• UNC4841 - SSL Certificate Exfiltration Via Openssl
• Potential BlackByte Ransomware Activity
• Linux Base64 Encoded Pipe to Shell
• UNC4841 - Barracuda ESG Exploitation Indicators