YARA rules for CVE-2023-2868
4 rules · scoped to cve · back to CVE-2023-2868
YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.
rule MAL_ELF_ReverseShell_SSLShell_Jun23_1 {
meta:
description = "Detects reverse shell named SSLShell used in Barracuda ESG exploitation (CVE-2023-2868)"
author = "Florian Roth"
reference = "https://www.barracuda.com/company/legal/esg-vulnerability"
date = "2023-06-07"
score = 75
hash1 = "8849a3273e0362c45b4928375d196714224ec22cb1d2df5d029bf57349860347"
id = "91b34eb7-61d2-592e-a444-249da43994ca"
strings:
$sc1 = { 00 2D 63 00 2F 62 69 6E 2F 73 68 00 }
$s1 = "SSLShell"
condition:
uint32be(0) == 0x7f454c46
and uint16(0x10) == 0x0002
and filesize < 5MB
and all of them
}
rule MAL_ELF_SALTWATER_Jun23_1 {
meta:
description = "Detects SALTWATER malware used in Barracuda ESG exploitations (CVE-2023-2868)"
author = "Florian Roth"
reference = "https://www.barracuda.com/company/legal/esg-vulnerability"
date = "2023-06-07"
score = 80
hash1 = "601f44cc102ae5a113c0b5fe5d18350db8a24d780c0ff289880cc45de28e2b80"
id = "10a038f6-6096-5d3a-aaf5-db441685102b"
strings:
$x1 = "libbindshell.so"
$s1 = "ShellChannel"
$s2 = "MyWriteAll"
$s3 = "CheckRemoteIp"
$s4 = "run_cmd"
$s5 = "DownloadByProxyChannel"
$s6 = "[-] error: popen failed"
$s7 = "/home/product/code/config/ssl_engine_cert.pem"
condition:
uint16(0) == 0x457f and
filesize < 6000KB and (
( 1 of ($x*) and 2 of them )
or 3 of them
) or all of them
}
rule APT_UNC4841_ESG_Barracuda_CVE_2023_2868_Forensic_Artifacts_Jun23_1 : SCRIPT {
meta:
description = "Detects forensic artifacts found in the exploitation of CVE-2023-2868 in Barracuda ESG devices by UNC4841"
author = "Florian Roth"
reference = "https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally"
date = "2023-06-15"
modified = "2023-06-16"
score = 75
id = "50518fa1-33de-5fe5-b957-904d976fb29a"
strings:
$x01 = "=;ee=ba;G=s;_ech_o $abcdefg_${ee}se64" ascii
$x02 = ";echo $abcdefg | base64 -d | sh" ascii
$x03 = "setsid sh -c \"mkfifo /tmp/p" ascii
$x04 = "sh -i </tmp/p 2>&1" ascii
$x05 = "if string.match(hdr:body(), \"^[%w%+/=" ascii
$x06 = "setsid sh -c \"/sbin/BarracudaMailService eth0\""
$x07 = "echo \"set the bvp ok\""
$x08 = "find ${path} -type f ! -name $excludeFileNameKeyword | while read line ;"
$x09 = " /mail/mstore | xargs -i cp {} /usr/share/.uc/"
$x10 = "tar -T /mail/mstore/tmplist -czvf "
$sa1 = "sh -c wget --no-check-certificate http"
$sa2 = ".tar;chmod +x "
condition:
1 of ($x*)
or all of ($sa*)
}
rule APT_MAL_UNC4841_SEASPY_Jun23_1 {
meta:
description = "Detects SEASPY malware used by UNC4841 in attacks against Barracuda ESG appliances exploiting CVE-2023-2868"
author = "Florian Roth"
reference = "https://blog.talosintelligence.com/alchimist-offensive-framework/"
date = "2023-06-16"
score = 85
hash1 = "3f26a13f023ad0dcd7f2aa4e7771bba74910ee227b4b36ff72edc5f07336f115"
id = "bcff58f8-87f6-5371-8b96-5d4c0f349000"
strings:
$sx1 = "usage: ./BarracudaMailService <Network-Interface>. e.g.: ./BarracudaMailService eth0" ascii fullword
$s1 = "fcntl.tmp.amd64." ascii
$s2 = "Child process id:%d" ascii fullword
$s3 = "[*]Success!" ascii fullword
$s4 = "NO port code" ascii
$s5 = "enter open tty shell" ascii
$op1 = { 48 89 c6 f3 a6 0f 84 f7 01 00 00 bf 6c 84 5f 00 b9 05 00 00 00 48 89 c6 f3 a6 0f 84 6a 01 00 00 }
$op2 = { f3 a6 0f 84 d2 00 00 00 48 89 de bf 51 5e 61 00 b9 05 00 00 00 f3 a6 74 21 48 89 de }
$op3 = { 72 de 45 89 f4 e9 b8 f4 ff ff 48 8b 73 08 45 85 e4 ba 49 3d 62 00 b8 44 81 62 00 48 0f 45 d0 }
condition:
uint16(0) == 0x457f
and filesize < 9000KB
and 3 of them
or 5 of them
}