MAR-10333243-1.v1: Pulse Connect Secure
Summary
body#cma-body {
font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif;
font-size: 15px;
}
table#cma-table {
width: 900px;
margin: 2px;
table-layout: fixed;
border-collapse: collapse;
}
div#cma-exercise {
width: 900px;
height: 30px;
text-align: center;
line-height: 30px;
font-weight: bold;
font-size: 18px;
}
div.cma-header {
text-align: center;
margin-bottom: 40px;
}
div.cma-footer {
text-align: center;
margin-top: 20px;
}
h2.cma-tlp {
background-color: #000;
color: #ffffff;
width: 180px;
height: 30px;
text-align: center;
line-height: 30px;
font-weight: bold;
font-size: 18px;
float: right;
}
span.cma-fouo {
line-height: 30px;
font-weight: bold;
font-size: 16px;
}
h3.cma-section-title {
font-size: 18px;
font-weight: bold;
padding: 0 10px;
margin-top: 10px;
}
h4.cma-object-title {
font-size: 16px;
font-weight: bold;
margin-left: 20px;
}
h5.cma-data-title {
padding: 3px 0 3px 10px;
margin: 10px 0 0 20px;
background-color: #e7eef4;
font-size: 15px;
}
p.cma-text {
margin: 5px 0 0 25px !important;
word-wrap: break-word !important;
}
div.cma-section {
border-bottom: 5px solid #aaa;
margin: 5px 0;
padding-bottom: 10px;
}
div.cma-avoid-page-break {
page-break-inside: avoid;
}
div#cma-summary {
page-break-after: always;
}
div#cma-faq {
page-break-after: always;
}
table.cma-content {
border-collapse: collapse;
margin-left: 20px;
}
table.cma-hashes {
table-layout: fixed;
width: 880px;
}
table.cma-hashes td{
width: 780px;
word-wrap: break-word;
}
.cma-left th {
text-align: right;
vertical-align: top;
padding: 3px 8px 3px 20px;
background-color: #f0f0f0;
border-right: 1px solid #aaa;
}
.cma-left td {
padding-left: 8px;
}
.cma-color-title th, .cma-color-list th, .cma-color-title-only th {
text-align: left;
padding: 3px 0 3px 20px;
background-color: #f0f0f0;
}
.cma-color-title td, .cma-color-list td, .cma-color-title-only td {
padding: 3px 20px;
}
.cma-color-title tr:nth-child(odd) {
background-color: #f0f0f0;
}
.cma-color-list tr:nth-child(even) {
background-color: #f0f0f0;
}
td.cma-relationship {
max-width: 310px;
word-wrap: break-word;
}
ul.cma-ul {
margin: 5px 0 10px 0;
}
ul.cma-ul li {
line-height: 20px;
margin-bottom: 5px;
word-wrap: break-word;
}
#cma-survey {
font-weight: bold;
font-style: italic;
}
div.cma-banner-container {
position: relative;
text-align: center;
color: white;
}
img.cma-banner {
max-width: 900px;
height: auto;
}
img.cma-nccic-logo {
max-height: 60px;
width: auto;
float: left;
margin-top: -15px;
}
div.cma-report-name {
position: absolute;
bottom: 32px;
left: 12px;
font-size: 20px;
}
div.cma-report-number {
position: absolute;
bottom: 70px;
right: 100px;
font-size: 18px;
}
div.cma-report-date {
position: absolute;
bottom: 32px;
right: 100px;
font-size: 18px;
}
img.cma-thumbnail {
max-height: 100px;
width: auto;
vertical-align: top;
}
img.cma-screenshot {
margin: 10px 0 0 25px;
max-width: 800px;
height: auto;
vertical-align: top;
border: 1px solid #000;
}
div.cma-screenshot-text {
margin: 10px 0 0 25px;
}
.cma-break-word {
word-wrap: break-word;
}
.cma-tag {
border-radius: 5px;
padding: 1px 10px;
margin-right: 10px;
}
.cma-tag-info {
background: #f0f0f0;
}
.cma-tag-warning {
background: #ffdead;
}
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionFour (4) files were submitted to CISA for analysis related to Pulse Secure Perl Common Gateway Interface (CGI) exploit. The files contain webshells or are designed to propagate shells that allow for remote code execution or unauthorized access. This analysis is derived from malicious files found on Pulse Connect Secure devices. For a downloadable copy of IOCs, see: MAR-10333243-1.v1WHITE.stix. Submitted Files (4)a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85 (DSUpgrade.pm) bef423bd85a25d14ffa511a0e04194e59b283057bd41689d473f79d227942c98 ( licenseserverproto.cgi ) d3982747d9b589ea20581b0448bddfd7c8a7cdad4760a99b4de762742833640a (licenseserverproto.cgi) ec3dc5a11b66c5b3ab006ac786914de674e50d0b08c6f6d0cfe7247dbe67a496 (healthcheck.cgi) Findingsa3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85Tagstrojanwebshell Details
Antivirus
YARA RulesNo matches found. ssdeep Matches
Relationships
DescriptionThe file contains malicious code that was patched into the Pulse Secure application. --Begin Malicious Code-- return $status == 0; The patched in code will leverage the following SED command to patch a malicious webshell into the Pulse Secure system file “/pkg/do-install”: --Begin Malicious SED Command-- The purpose of the webshell is to accept a parameter named "id" from within an incoming web application post, and also copy another instance of the shell into the parameter '$cgi_p', which resolves to the legitimate file 'licenseserverproto.cgi'. The webshell will then process the data provided within the "id" parameter as an operating system command by executing it locally utilizing the system() function. d3982747d9b589ea20581b0448bddfd7c8a7cdad4760a99b4de762742833640aTagswebshell Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep Matches
Relationships
DescriptionThis artifact is a Pulse Secure CGI application that has been modified with the following malicious webshell: ---Begin Malicious Webshell--- The webshell is designed to perform an initial check to determine whether data was passed into the web application within a parameter named "id". If this parameter is provided, the code will extract its contents and execute it on the target system using the system() function. If no "id" parameter is passed to the application the code will simply execute the main() function of the original Pulse Secure application. ec3dc5a11b66c5b3ab006ac786914de674e50d0b08c6f6d0cfe7247dbe67a496Tagswebshell Details
Antivirus
YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis artifact is a Pulse Secure CGI script that has been maliciously modified. The modification allows for remote command execution and uploads and downloads of encrypted files. The malicious code is displayed below. Analyst comments are in brackets []: ---Begin Malicious Code--- my $ph="[REDACTED]"; [Hard coded RC4 key.] sub r [Generates random bytes to be used in (sub a) for encryption.] sub a [RC4 encrypts a string that includes a random 6 byte key, RC4 key ($ph above), and the payload, then base64 encodes the string.] sub b [Base64 decodes a payload and then decodes using the above RC4 key ($ph) and 6 byte key.] sub c [Downloads a file and uses the (sub b) function above to decrypt it, or uploads a file and uses the (sub a) function above to encrypt it.] { sub d [Decrypts a file using the (sub b) function above and writes out the file.] sub e [Decrypts an incoming command and executes as system. If the command has the wrong parameter it returns "Error 404".] sub f [Responses to POST requests.] The last part of this file contains modified code that renders a dialog box that allows for the searching of files to be downloaded. Before downloading, the files are RC4 encrypted and base64 encoded. The program uses the hard-coded key for the RC4 encryption. bef423bd85a25d14ffa511a0e04194e59b283057bd41689d473f79d227942c98Tagswebshell Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis artifact is a Pulse Secure CGI application that has been modified with the following malicious webshell: ---Begin Malicious Webshell--- The webshell is designed to perform an initial check to determine whether data was passed into the web application within a parameter named "id". If this parameter is provided, the code will extract its contents and execute it on the target system using the system() function. If no "id" parameter is passed to the application, the code will simply execute the main() function of the original Pulse Secure application. Relationship Summary
RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
Revisions
July 21, 2021: Initial Version