YARA rules for UNC4841
4 rules · scoped to actor · back to UNC4841
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule APT_UNC4841_ESG_Barracuda_CVE_2023_2868_Forensic_Artifacts_Jun23_1 : SCRIPT {
meta:
description = "Detects forensic artifacts found in the exploitation of CVE-2023-2868 in Barracuda ESG devices by UNC4841"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
date = "2023-06-15"
modified = "2023-06-16"
score = 75
id = "50518fa1-33de-5fe5-b957-904d976fb29a"
strings:
$x01 = "=;ee=ba;G=s;_ech_o $abcdefg_${ee}se64" ascii
$x02 = ";echo $abcdefg | base64 -d | sh" ascii
$x03 = "setsid sh -c \"mkfifo /tmp/p" ascii
$x04 = "sh -i </tmp/p 2>&1" ascii
$x05 = "if string.match(hdr:body(), \"^[%w%+/=" ascii
$x06 = "setsid sh -c \"/sbin/BarracudaMailService eth0\""
$x07 = "echo \"set the bvp ok\""
$x08 = "find ${path} -type f ! -name $excludeFileNameKeyword | while read line ;"
$x09 = " /mail/mstore | xargs -i cp {} /usr/share/.uc/"
$x10 = "tar -T /mail/mstore/tmplist -czvf "
$sa1 = "sh -c wget --no-check-certificate http"
$sa2 = ".tar;chmod +x "
condition:
1 of ($x*)
or all of ($sa*)
}
rule APT_MAL_UNC4841_SEASPY_Jun23_1 {
meta:
description = "Detects SEASPY malware used by UNC4841 in attacks against Barracuda ESG appliances exploiting CVE-2023-2868"
author = "Florian Roth"
reference = "https://blog.talosintelligence.com/alchimist-offensive-framework/"
date = "2023-06-16"
score = 85
hash1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"
id = "bcff58f8-87f6-5371-8b96-5d4c0f349000"
strings:
$sx1 = "usage: ./BarracudaMailService <Network-Interface>. e.g.: ./BarracudaMailService eth0" ascii fullword
$s1 = "fcntl.tmp.amd64." ascii
$s2 = "Child process id:%d" ascii fullword
$s3 = "[*]Success!" ascii fullword
$s4 = "NO port code" ascii
$s5 = "enter open tty shell" ascii
$op1 = { 48 89 c6 f3 a6 0f 84 f7 01 00 00 bf 6c 84 5f 00 b9 05 00 00 00 48 89 c6 f3 a6 0f 84 6a 01 00 00 }
$op2 = { f3 a6 0f 84 d2 00 00 00 48 89 de bf 51 5e 61 00 b9 05 00 00 00 f3 a6 74 21 48 89 de }
$op3 = { 72 de 45 89 f4 e9 b8 f4 ff ff 48 8b 73 08 45 85 e4 ba 49 3d 62 00 b8 44 81 62 00 48 0f 45 d0 }
condition:
uint16(0) == 0x457f
and filesize < 9000KB
and 3 of them
or 5 of them
}
rule APT_MAL_UNC4841_SEASPY_LUA_Jun23_1 {
meta:
description = "Detects SEASPY malware related LUA script"
author = "Florian Roth"
reference = "https://blog.talosintelligence.com/alchimist-offensive-framework/"
date = "2023-06-16"
score = 90
hash1 = "56e8066bf83ff6fe0cec92aede90f6722260e0a3f169fc163ed88589bffd7451"
id = "a44861d0-107e-589b-8cf1-3fbc2f5c78dc"
strings:
$x1 = "os.execute('rverify'..' /tmp/'..attachment:filename())" ascii fullword
$x2 = "log.debug(\"--- opening archive [%s], mimetype [%s]\", tmpfile" ascii fullword
$xe1 = "os.execute('rverify'..' /tmp/'..attachment:filename())" ascii base64
$xe2 = "log.debug(\"--- opening archive [%s], mimetype [%s]\", tmpfile" ascii base64
condition:
filesize < 500KB and 1 of them
}
rule APT_HKTL_Proxy_Tool_Jun23_1 {
meta:
description = "Detects agent used as proxy tool in UNC4841 intrusions - possibly Alchemist C2 framework implant"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
date = "2023-06-16"
score = 75
hash1 = "ca72fa64ed0a9c22d341a557c6e7c1b6a7264b0c4de0b6f717dd44bddf550bca"
hash2 = "57e4b180fd559f15b59c43fb3335bd59435d4d76c4676e51a06c6b257ce67fb2"
id = "0e406737-3083-53c2-a6d2-14c07794125a"
strings:
//$a1 = "Go build" // not available in all samples
$a2 = "/src/runtime/panic.go"
$s1 = "main.handleClientRequest" ascii fullword
$s2 = "main.sockIP.toAddr" ascii fullword
// $s3 = "main.slave" ascii fullword
condition:
(
uint16(0) == 0x5a4d // Windows PE
or uint32be(0) == 0x7f454c46 // ELF
or uint16(0) == 0xfeca or uint16(0) == 0xfacf or uint32(0) == 0xbebafeca or uint32(0) == 0xbebafeca // MacOS
)
and filesize < 10MB
and all of them
}