UNC4841 - Potential SEASPY Execution

Aug 12, 2024 · attack.execution detection.emerging-threats ·

Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor

Sigma rule (View on GitHub)

 1title: UNC4841 - Potential SEASPY Execution
 2id: f6a711f3-d032-4f9e-890b-bbe776236c84
 3status: test
 4description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
 5references:
 6    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-06-16
 9tags:
10    - attack.execution
11    - detection.emerging-threats
12logsource:
13    product: linux
14    category: process_creation
15detection:
16    selection:
17        Image|endswith:
18            - '/BarracudaMailService'
19            - '/resize2fstab'
20            - '/resize_reisertab'
21    condition: selection
22falsepositives:
23    - Unlikely
24level: critical

References

Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Google Cloud Blog

SALTWATER is a module for the Barracuda SMTP daemon (bsmtpd) that has backdoor functionality. SALTWATER can upload or download arbitrary files, execute commands, and has proxy and tunneling capabil...

Read More

UNC4841 - Potential SEASPY Execution

Sigma rule (View on GitHub)

References

Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Google Cloud Blog

Related rules