UNC4841 - Potential SEASPY Execution

May 2, 2024 · attack.execution detection.emerging_threats ·

Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor

Sigma rule (View on GitHub)

 1title: UNC4841 - Potential SEASPY Execution
 2id: f6a711f3-d032-4f9e-890b-bbe776236c84
 3status: test
 4description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
 5references:
 6    - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/06/16
 9tags:
10    - attack.execution
11    - detection.emerging_threats
12logsource:
13    product: linux
14    category: process_creation
15detection:
16    selection:
17        Image|endswith:
18            - '/BarracudaMailService'
19            - '/resize2fstab'
20            - '/resize_reisertab'
21    condition: selection
22falsepositives:
23    - Unlikely
24level: critical

References

Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant

On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that the...

Read More

UNC4841 - Potential SEASPY Execution

Sigma rule (View on GitHub)

References

Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant

Related rules