MVISION Insights: Pulse Secure VPN Authentication Bypass and Zero-Day
Technical Articles ID:
KB94749
Last Modified: 9/1/2021
Last Modified: 9/1/2021
Environment
IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by MVISION Insights technology. The content is intended for use by MVISION Insights users, but is provided for general knowledge to all customers. Contact us for more information about MVISION Insights.
Summary
A 0-day vulnerability affecting the Pulse VPN Appliance was identified in early 2021. Pulse VPN Appliances have come under attack utilizing previously patched vulnerabilities from 2019 and 2020 as well as the 0-day tracked under CVE-2021-22893. Targets include the defense, government, and financial sectors. Mandiant identified 12 malware families: SLOWPULSE, SLIGHTPULSE, RADIALPULSE, STEADYPULSE, PULSECHECK, QUIETPULSE, PULSEJUMP, HARDPULSE, ATRIUM, PACEMAKER, THINBLOOD, and LOCKPICK.
Once compromised, these tools are used to bypass authentication parameters, maintain persistence, and evade detection. Mandiant has further attributed the use of these tools to un-named threat groups currently tracked as UNC2630 and UNC2717. While absolute attribution is not yet clear, it is believed these tools might be attributed to both UNC groups.
The McAfee Enterprise ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Mandiant and shared publicly.
How to use this article:
- Scroll down and review the Product Countermeasures section of this article. Consider implementing them if they are not already in place.
- Review the following articles:
This Knowledge Base article discusses a specific threat that is being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.
Threat Hunting:
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_Webshell_PL_ATRIUM_1 { meta: author = "Mandiant" date_created = "2021-04-16" md5 = "ca0175d86049fa7c796ea06b413857a3" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $s1 = "CGI::param(" $s2 = "system(" $s3 = /if[\x09\x20]{0,32}\(CGI::param\([\x22\x27]\w{1,64}[\x22\x27]\)\)\s{0,128}\{[\x09\x20]{0,32}print [\x22\x27]Cache-Control: no-cache\\n[\x22\x27][\x09\x20]{0,32};\s{0,128}print [\x22\x27]Content-type: text\/html\\n\\n[\x22\x27][\x09\x20]{0,32};\s{0,128}my \$\w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}CGI::param\([\x22\x27]\w{1,64}[\x22\x27]\)[\x09\x20]{0,32};\s{0,128}system\([\x22\x27]\$/ condition: all of them } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_Trojan_SH_ATRIUM_1 { meta: author = "Mandiant" date_created = "2021-04-16" md5 = "a631b7a8a11e6df3fccb21f4d34dbd8a" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $s1 = "CGI::param(" $s2 = "Cache-Control: no-cache" $s3 = "system(" $s4 = /sed -i [^\r\n]{1,128}CGI::param\([^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Cache-Control: no-cache[^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Content-type: text\/html[^\r\n]{1,128}my [^\r\n]{1,128}=[\x09\x20]{0,32}CGI::param\([^\r\n]{1,128}system\(/ condition: all of them } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Webshell_PL_HARDPULSE { meta: author = "Mandiant" date_created = "2021-04-16" md5 = "980cba9e82faf194edb6f3cc20dc73ff" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $r1 = /if[\x09\x20]{0,32}\(\$\w{1,64}[\x09\x20]{1,32}eq[\x09\x20]{1,32}[\x22\x27]\w{1,64}[\x22\x27]\)\s{0,128}\{\s{1,128}my[\x09\x20]{1,32}\$\w{1,64}[\x09\x20]{0,32}\x3b\s{1,128}unless[\x09\x20]{0,32}\(open\(\$\w{1,64},[\x09\x20]{0,32}\$\w{1,64}\)\)\s{0,128}\{\s{1,128}goto[\x09\x20]{1,32}\w{1,64}[\x09\x20]{0,32}\x3b\s{1,128}return[\x09\x20]{1,32}0[\x09\x20]{0,32}\x3b\s{0,128}\}/ $r2 = /open[\x09\x20]{0,32}\(\*\w{1,64}[\x09\x20]{0,32},[\x09\x20]{0,32}[\x22\x27]>/ $r3 = /if[\x09\x20]{0,32}\(\$\w{1,64}[\x09\x20]{1,32}eq[\x09\x20]{1,32}[\x22\x27]\w{1,64}[\x22\x27]\)\s{0,128}\{\s{1,128}print[\x09\x20]{0,32}[\x22\x27]Content-type/ $s1 = "CGI::request_method()" $s2 = "CGI::param(" $s3 = "syswrite(" $s4 = "print $_" condition: all of them } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Trojan_Linux32_LOCKPICK_1 { meta: author = "Mandiant" date_created = "2021-04-16" md5 = "e8bfd3f5a2806104316902bbe1195ee8" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $sb1 = { 83 ?? 63 0F 84 [4] 8B 45 ?? 83 ?? 01 89 ?? 24 89 44 24 04 E8 [4] 85 C0 } $sb2 = { 83 [2] 63 74 ?? 89 ?? 24 04 89 ?? 24 E8 [4] 83 [2] 01 85 C0 0F [5] EB 00 8B ?? 04 83 F8 02 7? ?? 83 E8 01 C1 E0 02 83 C0 00 89 44 24 08 8D 83 [4] 89 44 24 04 8B ?? 89 04 24 E8 } condition: ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and (@sb1[1] < @sb2[1]) } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Trojan_Linux32_PACEMAKER { meta: author = "Mandiant" date_created = "2021-04-16" md5 = "d7881c4de4d57828f7e1cab15687274b" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $s1 = "\x00/proc/%d/mem\x00" $s2 = "\x00/proc/%s/maps\x00" $s3 = "\x00/proc/%s/cmdline\x00" $sb1 = { C7 44 24 08 10 00 00 00 C7 44 24 04 00 00 00 00 8D 45 E0 89 04 24 E8 [4] 8B 45 F4 83 C0 0B C7 44 24 08 10 00 00 00 89 44 24 04 8D 45 E0 89 04 24 E8 [4] 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] EB } $sb2 = { 8B 95 [4] B8 [4] 8D 8D [4] 89 4C 24 10 8D 8D [4] 89 4C 24 0C 89 54 24 08 89 44 24 04 8D 85 [4] 89 04 24 E8 [4] C7 44 24 08 02 00 00 00 C7 44 24 04 00 00 00 00 8B 45 ?? 89 04 24 E8 [4] 89 45 ?? 8D 85 [4] 89 04 24 E8 [4] 89 44 24 08 8D 85 [4] 89 44 24 04 8B 45 ?? 89 04 24 E8 [4] 8B 45 ?? 89 45 ?? C7 45 ?? 00 00 00 00 [0-16] 83 45 ?? 01 8B 45 ?? 3B 45 0C } condition: ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Trojan_Linux_PACEMAKER { meta: author = "Mandiant" date_created = "2021-04-16" md5 = "d7881c4de4d57828f7e1cab15687274b" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $s1 = "\x00Name:%s || Pwd:%s || AuthNum:%s\x0a\x00" $s2 = "\x00/proc/%d/mem\x00" $s3 = "\x00/proc/%s/maps\x00" $s4 = "\x00/proc/%s/cmdline\x00" condition: (uint32(0) == 0x464c457f) and all of them } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Webshell_PL_PULSECHECK_1 { meta: author = "Mandiant" date_created = "2021-04-16" sha256 = "a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $r1 = /while[\x09\x20]{0,32}\(<\w{1,64}>\)[\x09\x20]{0,32}\{\s{1,256}\$\w{1,64}[\x09\x20]{0,32}\.=[\x09\x20]{0,32}\$_;\s{0,256}\}/ $s1 = "use Crypt::RC4;" $s2 = "use MIME::Base64" $s3 = "MIME::Base64::decode(" $s4 = "popen(" $s5 = " .= $_;" $s6 = "print MIME::Base64::encode(RC4(" $s7 = "HTTP_X_" condition: $s1 and $s2 and (@s3[1] < @s4[1]) and (@s4[1] < @s5[1]) and (@s5[1] < @s6[1]) and (#s7 > 2) and $r1 } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Trojan_PL_PULSEJUMP_1 { meta: author = "Mandiant" date_created = "2021-04-16" md5 = "91ee23ee24e100ba4a943bb4c15adb4c" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $s1 = "open(" $s2 = ">>/tmp/" $s3 = "syswrite(" $s4 = /\}[\x09\x20]{0,32}elsif[\x09\x20]{0,32}\([\x09\x20]{0,32}\$\w{1,64}[\x09\x20]{1,32}eq[\x09\x20]{1,32}[\x22\x27](Radius|Samba|AD)[\x22\x27][\x09\x20]{0,32}\)\s{0,128}\{\s{0,128}@\w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}&/ condition: all of them } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Trojan_PL_QUIETPULSE { meta: author = "Mandiant" date_created = "2021-04-16" md5 = "00575bec8d74e221ff6248228c509a16" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $s1 = /open[\x09\x20]{0,32}\(\*STDOUT[\x09\x20]{0,32},[\x09\x20]{0,32}[\x22\x27]>&CLIENT[\x22\x27]\)/ $s2 = /open[\x09\x20]{0,32}\(\*STDERR[\x09\x20]{0,32},[\x09\x20]{0,32}[\x22\x27]>&CLIENT[\x22\x27]\)/ $s3 = /socket[\x09\x20]{0,32}\(SERVER[\x09\x20]{0,32},[\x09\x20]{0,32}PF_UNIX[\x09\x20]{0,32},[\x09\x20]{0,32}SOCK_STREAM[\x09\x20]{0,32},[\x09\x20]{0,32}0[\x09\x20]{0,32}\)[\x09\x20]{0,32};\s{0,128}unlink/ $s4 = /bind[\x09\x20]{0,32}\([\x09\x20]{0,32}SERVER[\x09\x20]{0,32},[\x09\x20]{0,32}sockaddr_un\(/ $s5 = /listen[\x09\x20]{0,32}\([\x09\x20]{0,32}SERVER[\x09\x20]{0,32},[\x09\x20]{0,32}SOMAXCONN[\x09\x20]{0,32}\)[\x09\x20]{0,32};/ $s6 = /my[\x09\x20]{1,32}\$\w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}fork\([\x09\x20]{0,32}\)[\x09\x20]{0,32};\s{1,128}if[\x09\x20]{0,32}\([\x09\x20]{0,32}\$\w{1,64}[\x09\x20]{0,32}==[\x09\x20]{0,32}0[\x09\x20]{0,32}\)[\x09\x20]{0,32}\{\s{1,128}exec\(/ condition: all of them } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Trojan_PL_RADIALPULSE_1 { meta: author = "Mandiant" date_created = "2021-04-16" sha256 = "d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $s1 = "->getRealmInfo()->{NAME}" $s2 = /open\(\*fd,[\x09\x20]{0,32}[\x22\x27]>>/ $s3 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27]realm=\$/ $s4 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27]username=\$/ $s5 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27]password=\$/ condition: (@s1[1] < @s2[1]) and (@s2[1] < @s3[1]) and $s4 and $s5 } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Trojan_PL_RADIALPULSE_2 { meta: author = "Mandiant" date_created = "2021-04-16" md5 = "4a2a7cbc1c8855199a27a7a7b51d0117" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $s1 = "open(*fd," $s2 = "syswrite(*fd," $s3 = "close(*fd);" $s4 = /open\(\*fd,[\x09\x20]{0,32}[\x22\x27]>>\/tmp\/[\w.]{1,128}[\x22\x27]\);[\x09\x20]{0,32}syswrite\(\*fd,[\x09\x20]{0,32}/ $s5 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27][\w]{1,128}=\$\w{1,128} ?[\x22\x27],[\x09\x20]{0,32}5000\)/ condition: all of them } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Trojan_PL_RADIALPULSE_3 { meta: author = "Mandiant" date_created = "2021-04-16" md5 = "4a2a7cbc1c8855199a27a7a7b51d0117" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $s1 = "open(*fd," $s2 = "syswrite(*fd," $s3 = "close(*fd);" $s4 = /open\(\*fd,[\x09\x20]{0,32}[\x22\x27]>>\/tmp\/dsstartssh\.statementcounters[\x22\x27]\);[\x09\x20]{0,32}syswrite\(\*fd,[\x09\x20]{0,32}/ $s5 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27][\w]{1,128}=\$username ?[\x22\x27],[\x09\x20]{0,32}\d{4}\)/ condition: all of them } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Backdoor_Linux32_SLOWPULSE_1 { meta: author = "Mandiant" date_created = "2021-04-16" sha256 = "cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $sb1 = {FC b9 [4] e8 00 00 00 00 5? 8d b? [4] 8b} $sb2 = {f3 a6 0f 85 [4] b8 03 00 00 00 5? 5? 5?} $sb3 = {9c 60 e8 00 00 00 00 5? 8d [5] 85 ?? 0f 8?} $sb4 = {89 13 8b 51 04 89 53 04 8b 51 08 89 53 08} $sb5 = {8d [5] b9 [4] f3 a6 0f 8?} condition: ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them } |
YARA | rule FE_APT_Backdoor_Linux32_SLOWPULSE_2 { meta: author = "Strozfriedberg" date_created = "2021-04-16" sha256 = "cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $sig = /[\x20-\x7F]{16}([\x20-\x7F\x00]+)\x00.{1,32}\xE9.{3}\xFF\x00+[\x20-\x7F][\x20-\x7F\x00]{16}/ // TOI_MAGIC_STRING $exc1 = /\xED\xC3\x02\xE9\x98\x56\xE5\x0C/ condition: uint32(0) == 0x464C457F and (1 of ($sig*)) and (not (1 of ($exc*))) } |
YARA | // Copyright 2021 by FireEye, Inc. // You may not use this file except in compliance with the license. The license should have been received with this file. rule FE_APT_Webshell_PL_STEADYPULSE_1 { meta: author = "Mandiant" date_created = "2021-04-16" sha256 = "168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc" reference_url = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" strings: $s1 = "parse_parameters" $s2 = "s/\\+/ /g" $s3 = "s/%(..)/pack(" $s4 = "MIME::Base64::encode($" $s5 = "$|=1;" $s6 = "RC4(" $s7 = "$FORM{'cmd'}" condition: all of them } |
YARA | rule FE_APT_Tool_Linux32_BLOODBANK_1 { meta: author = "Mandiant" date_created = "2021-05-17" sha256 = "8bd504ac5fb342d3533fbe0febe7de5c2adcf74a13942c073de6a9db810f9936" reference_url = "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html" strings: $sb1 = {0f b6 00 3c 75 [2-6] 8b 85 [4] 8d ?? 01 8b 85 [4] 01 ?? 0f b6 00 3c 73 [2-6] 8b 85 [4] 8d ?? 02 8b 85 [4] 01 ?? 0f b6 00 3c 65 [2-6] 8b 85 [4] 8d ?? 03 8b 85 [4] 01 ?? 0f b6 00 3c 72 [2-6] 8b 85 [4] 8d ?? 04 8b 85 [4] 01 ?? 0f b6 00 3c 40} $sb2 = {0f b6 00 3c 70 [2-6] 8b 85 [4] 8d ?? 01 8b 85 [4] 01 ?? 0f b6 00 3c 61 [2-6] 8b 85 [4] 8d ?? 02 8b 85 [4] 01 ?? 0f b6 00 3c 73 [2-6] 8b 85 [4] 8d ?? 03 8b 85 [4] 01 ?? 0f b6 00 3c 73 [2-6] 8b 85 [4] 8d ?? 04 8b 85 [4] 01 ?? 0f b6 00 3c 77 [2-6] 8b 85 [4] 8d ?? 08 8b 85 [4] 01 ?? 0f b6 00 3c 40} $ss1 = "\x00:%4d-%02d-%02d %02d:%02d:%02d \x00" condition: ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them } |
YARA | rule FE_APT_Tool_Linux_BLOODBANK_2 { meta: author = "Mandiant" date_created = "2021-05-17" sha256 = "8bd504ac5fb342d3533fbe0febe7de5c2adcf74a13942c073de6a9db810f9936" reference_url = "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html" strings: $ss1 = "\x00:%4d-%02d-%02d %02d:%02d:%02d \x00" $ss2 = "\x00ok!\x00" $ss3 = "\x00\x0a\x0a%s:%s \x00" $ss4 = "\x00PRIMARY!%s \x00" condition: (uint32(0) == 0x464c457f) and all of them } |
YARA | rule FE_APT_Tool_Linux32_BLOODMINE_1 { meta: author = "Mandiant" date_created = "2021-05-17" sha256 = "38705184975684c826be28302f5e998cdb3726139aad9f8a6889af34eb2b0385" reference_url = "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html" strings: $sb1 = { 6A 01 6A 03 68 [4] E8 [4-32] 50 E8 [4-32] 6A 01 5? 50 E8 [4-32] 50 E8 [4-32] 6A 01 5? 50 E8 [4-32] 6A 01 6A 01 68 [4] E8 [4-32] 8? [0-2] 01 A1 [4] 39 [2] 0F 8? } $sb2 = { 68 [4] FF B5 [4] E8 [4-16] 85 C0 7? ?? C7 05 [4] 01 00 00 00 E9 [4-32] 68 [4] FF B5 [4] E8 [4-16] 85 C0 7? ?? C7 05 [4] 02 00 00 00 E9 [4-32] 68 [4] FF B5 [4] E8 [4-16] 85 C0 7? ?? C7 05 [4] 03 00 00 00 E9 } condition: ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them } |
YARA | rule FE_APT_Tool_Linux_BLOODMINE_2 { meta: author = "Mandiant" date_created = "2021-05-17" sha256 = "38705184975684c826be28302f5e998cdb3726139aad9f8a6889af34eb2b0385" reference_url = "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html" strings: $ss1 = "\x00[+]\x00" $ss2 = "\x00%d-%d-%d-%d-%d-%d\x0a\x00" $ss3 = "\x00[+]The count of saved logs: %d\x0a\x00" $ss4 = "\x00[+]Remember to clear \"%s\", good luck!\x0a\x00" condition: (uint32(0) == 0x464c457f) and all of them } |
YARA | rule FE_APT_Tool_Linux32_CLEANPULSE_1 { meta: author = "Mandiant" date_created = "2021-05-17" sha256 = "9308cfbd697e4bf76fcc8ff71429fbdfe375441e8c8c10519b6a73a776801ba7" reference_url = "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html" strings: $sb1 = { A1 [4] 8B [5] 50 68 [4] 5? FF 75 ?? E8 [4] 83 C4 10 A1 [4] 8B [5] 50 68 [4] 5? FF 75 ?? E8 [4] 83 C4 10 A1 [4] 8B [5] 50 68 [4] 5? FF 75 ?? E8 [4] 83 C4 10 A1 [4] 8B [5] 50 68 [4] 5? FF 75 ?? E8 [4] 83 C4 10 8B ?? 04 } $sb2 = { 8B 00 0F B6 00 3C ?? 74 0F 8B ?? 04 83 C0 10 8B 00 0F B6 00 3C ?? 75 } $ss1 = "\x00OK!\x00" $ss2 = "\x00argv %d error!\x00" $ss3 = "\x00ptrace_write\x00" $ss4 = "\x00ptrace_attach\x00" condition: ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them } |
YARA | rule FE_APT_Tool_Linux_CLEANPULSE_2 { meta: author = "Mandiant" date_created = "2021-05-17" sha256 = "9308cfbd697e4bf76fcc8ff71429fbdfe375441e8c8c10519b6a73a776801ba7" reference_url = "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html" strings: $sb1 = { 00 89 4C 24 08 FF 52 04 8D 00 } $ss1 = "\x00OK!\x00" $ss2 = "\x00argv %d error!\x00" $ss3 = "\x00ptrace_write\x00" $ss4 = "\x00ptrace_attach\x00" condition: (uint32(0) == 0x464c457f) and all of them } |
YARA | rule FE_APT_Webshell_PL_RAPIDPULSE_1 { meta: author = "Mandiant" date_created = "2021-05-17" strings: $r1 = /my[\x09\x20]{1,32}@\w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}split[\x09\x20]{0,32}\([\x09\x20]{0,32}\x2f\x2f/ $r2 = /my[\x09\x20]{1,32}\$\w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}MIME::Base64::decode_base64[\x09\x20]{0,32}\([\x09\x20]{0,32}\$\w{1,64}[\x09\x20]{0,32}\)[\x09\x20]{0,32};[\S\s]{0,128}my[\x09\x20]{1,32}\$\w{1,64}[\x09\x20]{0,32}=[\x09\x20]{0,32}substr[\x09\x20]{0,32}\([\x09\x20]{0,32}\$\w{1,64}[\x09\x20]{0,32},[\x09\x20]{0,32}\d[\x09\x20]{0,32}\)[\x09\x20]{0,32};[\s\S]{0,64}return[\x09\x20]{1,32}\$/ $s1 = "use MIME::Base64" $s2 = "CGI::param(" $s3 = "popen" $s4 = "print CGI::header()" $s5 = "(0..255)" condition: (all of ($s*)) and (@r1[1] < @r2[1]) } |
Campaign IOC
Type | Value |
SNORT | alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"APT.Webshell.PL.PULSECHECK callback"; flow:to_server; content:"POST "; depth:5; content:" HTTP/1.1|0d 0a|"; distance:1; content:"|0d 0a|X-CMD: "; nocase; fast_pattern; content:"|0d 0a|X-CNT: "; nocase; content:"|0d 0a|X-KEY: "; nocase; reference:mal_hash, a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1; reference:date_created,2021-04-16; sid:999999999; ) |
SNORT | alert tcp any any -> any any ( msg:"APT.Webshell.HTTP.PULSECHECK.[X-CMD:]"; content:"POST "; depth:5; content:"|0d 0a|X-CMD: "; nocase; fast_pattern; content:"|0d 0a|X-CNT: "; nocase; content:"|0d 0a|X-KEY: "; nocase; content:!"|0d 0a|Referer: "; content:!"fast_pattern"; threshold:type limit,track by_src,count 1,seconds 3600; sid: 999999999; ) |
SNORT | alert tcp any $HTTP_PORTS -> any any ( msg:"APT.Webshell.PL.STEADYPULSE.[<form action=]"; flow:to_client; content:"<form action=\"\" method=\"GET\">"; content:"<input type=\"text\" name=\"cmd\" "; distance:0; content:"<input type=\"text\" name=\"serverid\" "; distance:0; fast_pattern; content:"ltinput type=\"submit\" value=\"Run\">"; distance:0; pcre:"/<\/form>\s{0,512}<pre>/R"; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; reference:date_created,2021-04-16; sid: 999999999; ) |
SNORT | alert tcp any any -> any any ( msg:"APT.Webshell.HTTP.STEADYPULSE.[<form action=]"; content:"<form action=\"\" method=\"GET\">"; content:"<input type=\"text\" name=\"cmd\" "; distance:0; fast_pattern; content:"<input type=\"text\" name=\"serverid\" "; distance:0; content:"<input type=\"submit\" value=\"Run\">"; distance:0; content:!"|0d 0a|Referer: "; content:!"|0d 0a|User-Agent: "; content:!"fast_pattern"; threshold:type limit,track by_src,count 1,seconds 3600; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; sid: 999999999; ) |
SNORT | alert tcp any any -> any any ( msg:"APT.Webshell.HTTP.STEADYPULSE.[Results of]"; content:"|0d 0a|Results of '"; content:"' execution:|0a 0a|"; distance:1; within:256; fast_pattern; content:!"|0d 0a|Referer: "; content:!"|0d 0a|User-Agent: "; content:!"fast_pattern"; threshold:type limit,track by_src,count 1,seconds 3600; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; sid: 999999999; ) |
SNORT | alert tcp any $HTTP_PORTS -> any any ( msg:"APT.Webshell.PL.STEADYPULSE. .[Results of]"; flow:to_client; content:"Results of '"; content:"' execution:|0a 0a|"; distance:1; within:256; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; reference:date_created,2021-04-16; sid: 999999999; fast_pattern; ) |
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: Always follow best practices when you enable new rules and signatures.
When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.
For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
Endpoint Security - Advanced Threat Protection:
Rule ID: 5 Use GTI URL reputation to identify trusted or malicious processes