MAR-10337580-1.v1: Pulse Connect Secure
Summary
body#cma-body { font-family: Franklin Gothic Medium, Franklin Gothic, ITC Franklin Gothic, Arial, sans-serif; font-size: 15px; } table#cma-table { width: 900px; margin: 2px; table-layout: fixed; border-collapse: collapse; } div#cma-exercise { width: 900px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; } div.cma-header { text-align: center; margin-bottom: 40px; } div.cma-footer { text-align: center; margin-top: 20px; } h2.cma-tlp { background-color: #000; color: #ffffff; width: 180px; height: 30px; text-align: center; line-height: 30px; font-weight: bold; font-size: 18px; float: right; } span.cma-fouo { line-height: 30px; font-weight: bold; font-size: 16px; } h3.cma-section-title { font-size: 18px; font-weight: bold; padding: 0 10px; margin-top: 10px; } h4.cma-object-title { font-size: 16px; font-weight: bold; margin-left: 20px; } h5.cma-data-title { padding: 3px 0 3px 10px; margin: 10px 0 0 20px; background-color: #e7eef4; font-size: 15px; } p.cma-text { margin: 5px 0 0 25px !important; word-wrap: break-word !important; } div.cma-section { border-bottom: 5px solid #aaa; margin: 5px 0; padding-bottom: 10px; } div.cma-avoid-page-break { page-break-inside: avoid; } div#cma-summary { page-break-after: always; } div#cma-faq { page-break-after: always; } table.cma-content { border-collapse: collapse; margin-left: 20px; } table.cma-hashes { table-layout: fixed; width: 880px; } table.cma-hashes td{ width: 780px; word-wrap: break-word; } .cma-left th { text-align: right; vertical-align: top; padding: 3px 8px 3px 20px; background-color: #f0f0f0; border-right: 1px solid #aaa; } .cma-left td { padding-left: 8px; } .cma-color-title th, .cma-color-list th, .cma-color-title-only th { text-align: left; padding: 3px 0 3px 20px; background-color: #f0f0f0; } .cma-color-title td, .cma-color-list td, .cma-color-title-only td { padding: 3px 20px; } .cma-color-title tr:nth-child(odd) { background-color: #f0f0f0; } .cma-color-list tr:nth-child(even) { background-color: #f0f0f0; } td.cma-relationship { max-width: 310px; word-wrap: break-word; } ul.cma-ul { margin: 5px 0 10px 0; } ul.cma-ul li { line-height: 20px; margin-bottom: 5px; word-wrap: break-word; } #cma-survey { font-weight: bold; font-style: italic; } div.cma-banner-container { position: relative; text-align: center; color: white; } img.cma-banner { max-width: 900px; height: auto; } img.cma-nccic-logo { max-height: 60px; width: auto; float: left; margin-top: -15px; } div.cma-report-name { position: absolute; bottom: 32px; left: 12px; font-size: 20px; } div.cma-report-number { position: absolute; bottom: 70px; right: 100px; font-size: 18px; } div.cma-report-date { position: absolute; bottom: 32px; right: 100px; font-size: 18px; } img.cma-thumbnail { max-height: 100px; width: auto; vertical-align: top; } img.cma-screenshot { margin: 10px 0 0 25px; max-width: 800px; height: auto; vertical-align: top; border: 1px solid #000; } div.cma-screenshot-text { margin: 10px 0 0 25px; } .cma-break-word { word-wrap: break-word; } .cma-tag { border-radius: 5px; padding: 1px 10px; margin-right: 10px; } .cma-tag-info { background: #f0f0f0; } .cma-tag-warning { background: #ffdead; }
NotificationThis report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise. This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp. SummaryDescriptionCISA received four files for analysis. One of the files is a modified version of the Unix umount application. It is designed to "hook" the umount functionality of a compromised Unix device. The added functionality provided via this umount "hook" makes several system modifications which provides a remote operator persistent command and control (C2) access to a compromised Pulse Secure device. The remaining files are modified by the umount "hook." This analysis is derived from malicious files found on Pulse Connect Secure devices. For a downloadable copy of IOCs, see: MAR-10337580-1.v1.WHITE.stix. Submitted Files (4)4ebb25ef9621c44cdb52630e44bcd1b5a848c0c56f01fa759863d50166bb0928 (umount) 5fbdc77bfce54b023a82f04cbe9b1c891d93f63cd782f1875111f0bbc79ca6f5 (libdsplibs.so) 6092a24ca3853fb351989ee1aa2eca604fc438afc1e64df3ede10ffda577d475 (sdp_mobile_login.cgi) e3137135f4ad5ecdc7900a619d7f1b88ba252b963b38ae9a156299cc9bce92a1 (rdpreauth.cgi) Findings4ebb25ef9621c44cdb52630e44bcd1b5a848c0c56f01fa759863d50166bb0928Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file is a malicious replacement for the Unix umount binary. The modified umount application contains a bash script with an appended ELF binary. When the system attempts to perform an unmount to disconnect a device, the "main" portion of this script will perform several system modifications to the Pulse Secure device before extracting the appended ELF binary, writing it to disk, marking it executable, and using it to actually perform the umount task. This application acts as a "hook" to the compromised device's unmount task. The system modifications performed during this "hook" are ultimately designed to provide a hacker remote C2 capabilities over a compromised Pulse Secure device. The full malicious script contained within this application is illustrated below. After this full illustration is a summary explanation of the primary pieces of this full malicious script. --Begin Full Malicious Script-- ##sstart patch_manifest() sed -i '/verify 1/d' /tmp/data/root/home/bin/check_integrity.sh patch_cgi() patch_libdsp() patch_umount() waitweb() /bin/mount -o remount,rw /dev/root / >/dev/null 2>&1 ###cgistart1 ###cgistart2 ##eend --End Full Malicious Script-- The function illustrated below is designed to make a small modification to the Pulse Secure system file named libdsplibs.so. This function will change all occurrences of the string "ForceCommand" in the libdsplibs.so binary to the string "#orceCommand". The function below will also remove the string "verifyFiles" from the Pulse Secure system file named check_integrity.sh. --Begin libdsplibs.so Modification Function-- patch_libdsp() --End libdsplibs.so Modification Function-- The function illustrated below is designed to modify the Pulse Secure system files named manifest and check_integrity.sh. As illustrated, this function hashes the new version of the script named sdp_mobile_login.cgi, which now contains a patched in webshell. The function then counts the number of times the string "sdp_mobile_login.cgi" is found in the Pulse Secure manifest file. The malware then replaces this "sdp_mobile_login.cgi" string with the full path of the patched version, and its corresponding SHA256 value within the manifest file. The replacement string for the current "sdp_mobile_login.cgi" strings will appear similar to the following: "/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi 6092a24ca3853fb351989ee1aa2eca604fc438afc1e64df3ede10ffda577d475 b". The function then removes the strings "verify 1" and "err Signature" from the Pulse Secure system file check_integrity.sh. It appears the modifications may be required for the Pulse Secure system to allow the execution of the hacker-modified version of sdp_mobile_login.cgi. Note: The comments in the code below were added by CISA to clarify the functionality of different parts of the malicious code. --Begin manifest and check_integrity.sh Modification Function-- patch_manifest() --End manifest and check_integrity.sh Modification Function-- The script modifies the Pulse Secure system file named sdp_mobile_login.cgi by adding data to it from a file contained on disk named tmp2. The code utilized to modify sdb_mobile_login.cgi is illustrated below. Analysis of the modified sdb_mobile_login.cgi indicates this modification adds a webshell to the Pulse Secure applications which allows an operator to remotely issue commands to a compromised device. This patched-in webshell is detailed within the description of the file sdp_mobile_login.cgi, included within this document. Notably, the function below also modifies the /bin/umount application by adding data to it contained in the files tmp1 and tmp2. After the modifications of umount and sdp_mobile_login.cgi, the function deletes the files tmp1 and tmp2. The original files tmp1 and tmp2 were not available for analysis. --Begin sdb_mobile_login.cgi and umount Modification Code (Using tmp1 and tmp2)-- patch_cgi() --End sdb_mobile_login.cgi and umount Modification Code (Using tmp1 and tmp2)-- The malicious function illustrated below is designed to extract the ELF binary from the current (hacker modified) umount application, and run it as a standalone application to actually perform the umount function for the operating system. The function extracts the embedded ELF, writes it out to disk as /bin/umount_re, and sets it to executable via the system command /bin/chmod u+x /bin/umount_re. The function then executes the umount_re application and deletes it from disk. The final command in the function mounts /dev/root as read only. The remounting of /dev/root with read only permissions is likely a method to hide this activity from a system administrator, as it may draw the attention of system analysts that /dev/root is mounted with read and write permissions. --Begin normal_um() Function-- normal_um() --End normal_um() Function-- The function below modifies the system application /bin/umount using the data contained in a file named /tmp/data/root/bin/xx. The function then deletes the file named /tmp/data/root/bin/xx. --Begin patch_umount Function-- patch_umount() --End patch_umount Function-- Illustrated below, is the "main" portion of this malicious application with comments added by our team to illustrate the purpose of this file. Note: The comments in the code below were added by CISA to clarify the functionality of different parts of the malicious code. --Begin Main Script-- /bin/mount -o remount,rw /dev/root / >/dev/null 2>&1 //*CISA: Mount the /dev/root partition with read and write permissions. --End Main Script-- 6092a24ca3853fb351989ee1aa2eca604fc438afc1e64df3ede10ffda577d475Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file is a Pulse Secure CGI script that has been modified by a malicious actor. The modification made to the script is illustrated below. It is believed the modification to this Pulse Secure script was made by the application named umount detailed within this document. The main function of this application has been hooked to check for the following incoming POST parameters: HTTP_X_KEY, HTTP_X_CMD, HTTP_X_CNT. The data passed in with the HTTP_X_CMD parameter will be base64 decoded and RC4 decrypted using the key data passed in via the HTTP_X_CNT parameter. The now decrypted HTTP_X_CMD parameter data will then be executed on the target system using the popen() function and the command's return value will be RC4 encrypted -- using the RC4 key passed via the HTTP_X_CNT parameter -- and base64 encoded before being returned to the remote operator via the web application using a print statement. Note: The data contained in the provided parameter HTTP_X_KEY must match the hard coded value zzdibweoQxffnDEi2UKacJlEekplJ7uwrt for the webshell code to successfully process the hacker provided command. Note: The comments in the code below were added by CISA to clarify the functionality of different parts of the malicious code. --Begin Main Webshell Hook-- $ |= 1; sub main { --End Main Webshell Hook-- 5fbdc77bfce54b023a82f04cbe9b1c891d93f63cd782f1875111f0bbc79ca6f5Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file is a legitimate Pulse Secure shared object application that has been modified by the script contained in the file umount, also included within this submission. As screenshots attached to this product indicate, the string ForceCommand in this binary has been modified to #orceCommand in an attempt to change its functionality. Screenshots Figure 1 - Direct modification made to libdsplibs.so by the malicious code contained in the application umount. The string ForceCommand has been changed to #orceCommand. Figure 2 - Direct modification made to libdsplibs.so by the malicious code contained in the application umount. The string ForceCommand has been changed to #orceCommand. FIgure 3 - Direct modification made to libdsplibs.so by the malicious code contained in the application umount. The string ForceCommand has been changed to #orceCommand. e3137135f4ad5ecdc7900a619d7f1b88ba252b963b38ae9a156299cc9bce92a1Tagswebshell Details
AntivirusNo matches found. YARA RulesNo matches found. ssdeep MatchesNo matches found. DescriptionThis file is a Pulse Secure system application that has been modified to allow an operator to remotely execute commands on a compromised Pulse Secure device. Its main() function has been hooked with the webshell illustrated below. This webshell is similar in design and functionality to the webshell described in the file sdp_mobile_login.cgi. A primary difference in this webshell is that a static value must be passed in with the HTTP_X_KEY parameter for the webshell to process and execute a provided command. --Begin Malicious Webshell-- sub main { --End Malicious Webshell-- RecommendationsCISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops". Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/ Document FAQWhat is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis. Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Central. Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov. |
Revisions
July 21, 2021: Initial Version
This product is provided subject to this Notification and this Privacy & Use policy.