2023-04-21 13:25:09 +00:00
{
2023-06-14 17:31:25 +00:00
"type" : "bundle" ,
"id" : "bundle--b7f8805b-fec8-4491-b866-83a457212437" ,
"objects" : [
{
"type" : "identity" ,
"spec_version" : "2.1" ,
"id" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T09:38:12.000Z" ,
"modified" : "2021-04-21T09:38:12.000Z" ,
"name" : "CIRCL" ,
"identity_class" : "organization"
} ,
{
"type" : "report" ,
"spec_version" : "2.1" ,
"id" : "report--b7f8805b-fec8-4491-b866-83a457212437" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T09:38:12.000Z" ,
"modified" : "2021-04-21T09:38:12.000Z" ,
"name" : "FireEye Mandiant PulseSecure Exploitation Countermeasures" ,
"published" : "2021-04-21T09:38:28Z" ,
"object_refs" : [
"observed-data--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04" ,
"url--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04" ,
"observed-data--5cb95524-3fef-4334-9fef-e6d3f00982a4" ,
"url--5cb95524-3fef-4334-9fef-e6d3f00982a4" ,
"indicator--d584973b-e85b-431b-a2f2-c3cd33562245" ,
"indicator--55301c17-7b0e-450d-89be-54eb3f096592" ,
"indicator--e8e292e5-5fab-4e5b-afa0-89df4eb361d6" ,
"indicator--4ad4982e-87bf-4edc-915b-4ad84f3b13eb" ,
"indicator--2b0bd4a3-3f4a-4e9a-b330-52a196385fc0" ,
"indicator--baccb07a-3ac5-4a08-89d0-5c02114ad60b" ,
"x-misp-object--57ffce5f-60a8-40ae-b11e-624ca218704d" ,
"indicator--6854614c-df9f-4bb5-8de0-857c943be550" ,
"indicator--874ca0e5-827e-43f8-99f5-a2a5aa60e672" ,
"indicator--cd13cfd7-f4dc-4864-9009-30baa29551a6" ,
"indicator--1d87313f-7519-4748-bfb1-fc8b60906cf6" ,
"indicator--0b65ad47-db4b-4f58-a33c-e671746afa05" ,
"indicator--5c9a0062-ee55-43b0-ad64-3c5f6fdf3d01" ,
"indicator--efd7b1ec-0fff-498a-ad64-d1d259ebbf82" ,
"indicator--35ae369e-4ab2-447c-819c-c366f547ca9c" ,
"indicator--5f99e163-f31e-4994-8a56-4b249d894012" ,
"indicator--0690ab34-3ffe-4d37-b6a7-4ce477d4de60" ,
"indicator--30408119-108d-495f-89ca-cbe1dcf0b68b" ,
"indicator--c0b88e1a-d76c-4226-bffa-45ca59bc2fa9" ,
"indicator--dbab04b4-1df0-4055-be1a-2ad6d47b15de" ,
"indicator--5279454c-137c-4df2-ab40-d4f67be95f40" ,
"indicator--61f23a4d-8a5f-4a4c-b846-4f87797fbb1a" ,
"indicator--44e27409-7862-42be-bf2b-4d18fa27243f" ,
"indicator--3347af09-6558-4e07-ac68-c7abe87079b9" ,
"indicator--ec665abd-0414-4647-b4cd-9fa22e979ab8" ,
"indicator--3e50f8b8-0dbc-4bec-80de-30e325671f95" ,
"indicator--2620c50d-6305-45cb-8aff-e37d50425358" ,
"indicator--cfaa4938-1778-45cd-b95a-61be8ba0837e" ,
"indicator--0da707a9-b329-4d30-b907-01fe6c1de17c" ,
"indicator--df51083d-32e2-4812-89bb-f7036472920e" ,
"indicator--5151611d-c11d-47cf-9a9c-5ef132b1a303" ,
"indicator--298449a1-8e86-409c-96fb-0c225d9f98a9" ,
"indicator--cf564f32-56e9-4fe0-87ac-5e5df91b0c9f" ,
"indicator--bbcc14ea-c7fc-4b15-a020-b619641add7e" ,
"indicator--60b5f9a7-ffa3-4d56-a1a7-6642638be3e6" ,
"indicator--04323a10-ee75-43ae-9150-001fe9a27ab7" ,
"indicator--bbdbb662-a8b1-4c13-85f2-898abde6d3f9" ,
"indicator--b4a44973-985c-4058-b968-9cd867f1bef6" ,
"indicator--ca389b0d-fbe4-42bc-96e3-56b5f4886c9b" ,
"indicator--34384af6-0071-435b-84c1-bf8c3420cd08" ,
"indicator--1fc8066f-98aa-4e70-b4ee-0710931cdac7" ,
"indicator--447d890e-3529-486e-b4f8-704b813d745f" ,
"indicator--7bd70c6d-d345-45f3-a8ac-00e4a2149cea" ,
"indicator--8f5eaca0-34a1-4e85-b6b3-8082bce62175" ,
"indicator--4f5204e2-efbe-4200-8f2c-bc6ebbb952da" ,
"indicator--c73a7441-1444-42a9-974d-3f3e64168bcc" ,
"indicator--642cf927-5c24-4846-b8a7-5b895c87594f" ,
"indicator--c7b0b3ec-3c74-4329-abc4-0d4414228f90" ,
"indicator--76f29c1c-c880-4baa-be5a-cecf57c18d38" ,
"indicator--12ee2578-f80b-4db9-b7c5-75c5f05215f2" ,
"indicator--ef28ce31-93a2-48a8-8ed8-b56b8caf60a7" ,
"indicator--d11dc00d-249a-4b44-a70d-8d1912c6b012" ,
"indicator--b78852fc-95f7-4ec5-a7ed-e001320e19b4" ,
"indicator--9df4fc8c-7277-4488-9f3b-ff2a0f51aa66" ,
"indicator--b79a5423-1769-4be7-a580-909c99a08598" ,
"indicator--17e7dce5-405d-4cf1-8d2f-9f3de6653c75" ,
"indicator--95be007c-e7a2-45a6-a1ff-d0f334e662da" ,
"indicator--40e78b71-1425-4450-aa39-08ecaa30f0df" ,
"note--82e160db-f47a-433c-865a-fb667f3cff29"
] ,
"labels" : [
"Threat-Report" ,
"misp:tool=\"MISP-STIX-Converter\"" ,
"type:OSINT" ,
"osint:lifetime=\"perpetual\"" ,
"estimative-language:confidence-in-analytic-judgment=\"high\"" ,
"estimative-language:likelihood-probability=\"almost-certain\""
] ,
"object_marking_refs" : [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:07:36.000Z" ,
"modified" : "2021-04-21T08:07:36.000Z" ,
"first_observed" : "2021-04-21T08:07:36Z" ,
"last_observed" : "2021-04-21T08:07:36Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04" ,
2023-04-21 13:25:09 +00:00
"value" : "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
2023-06-14 17:31:25 +00:00
} ,
{
"type" : "observed-data" ,
"spec_version" : "2.1" ,
"id" : "observed-data--5cb95524-3fef-4334-9fef-e6d3f00982a4" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:12:08.000Z" ,
"modified" : "2021-04-21T08:12:08.000Z" ,
"first_observed" : "2021-04-21T08:12:08Z" ,
"last_observed" : "2021-04-21T08:12:08Z" ,
"number_observed" : 1 ,
"object_refs" : [
"url--5cb95524-3fef-4334-9fef-e6d3f00982a4"
] ,
"labels" : [
"misp:type=\"link\"" ,
"misp:category=\"External analysis\""
]
} ,
{
"type" : "url" ,
"spec_version" : "2.1" ,
"id" : "url--5cb95524-3fef-4334-9fef-e6d3f00982a4" ,
"value" : "https://www.circl.lu/pub/tr-63"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d584973b-e85b-431b-a2f2-c3cd33562245" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T09:01:21.000Z" ,
"modified" : "2021-04-21T09:01:21.000Z" ,
"pattern" : "[alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:\"APT.Webshell.PL.PULSECHECK callback\"; flow:to_server; content:\"POST \"; depth:5; content:\" HTTP/1.1|0d 0a|\"; distance:1; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; reference:mal_hash, a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1; reference:date_created,2021-04-16; sid:999999999; )]" ,
"pattern_type" : "snort" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T09:01:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"snort\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--55301c17-7b0e-450d-89be-54eb3f096592" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T09:01:21.000Z" ,
"modified" : "2021-04-21T09:01:21.000Z" ,
"pattern" : "[alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.PULSECHECK.[X-CMD:]\"; content:\"POST \"; depth:5; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; content:!\"|0d 0a|Referer: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; sid: 999999999; )]" ,
"pattern_type" : "snort" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T09:01:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"snort\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--e8e292e5-5fab-4e5b-afa0-89df4eb361d6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T09:01:21.000Z" ,
"modified" : "2021-04-21T09:01:21.000Z" ,
"pattern" : "[alert tcp any $HTTP_PORTS -> any any ( msg:\"APT.Webshell.PL.STEADYPULSE.[<form action=]\"; flow:to_client; content:\"<form action=\\\"\\\" method=\\\"GET\\\">\"; content:\"<input type=\\\"text\\\" name=\\\"cmd\\\" \"; distance:0; content:\"<input type=\\\"text\\\" name=\\\"serverid\\\" \"; distance:0; fast_pattern; content:\"<input type=\\\"submit\\\" value=\\\"Run\\\">\"; distance:0; pcre:\"/<\\/form>\\s{0,512}<pre>/R\"; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; reference:date_created,2021-04-16; sid: 999999999; )]" ,
"pattern_type" : "snort" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T09:01:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"snort\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--4ad4982e-87bf-4edc-915b-4ad84f3b13eb" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T09:01:21.000Z" ,
"modified" : "2021-04-21T09:01:21.000Z" ,
"pattern" : "[alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.STEADYPULSE.[<form action=]\"; content:\"<form action=\\\"\\\" method=\\\"GET\\\">\"; content:\"<input type=\\\"text\\\" name=\\\"cmd\\\" \"; distance:0; fast_pattern; content:\"<input type=\\\"text\\\" name=\\\"serverid\\\" \"; distance:0; content:\"<input type=\\\"submit\\\" value=\\\"Run\\\">\"; distance:0; content:!\"|0d 0a|Referer: \"; content:!\"|0d 0a|User-Agent: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; sid: 999999999; )]" ,
"pattern_type" : "snort" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T09:01:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"snort\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--2b0bd4a3-3f4a-4e9a-b330-52a196385fc0" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T09:01:21.000Z" ,
"modified" : "2021-04-21T09:01:21.000Z" ,
"pattern" : "[alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.STEADYPULSE.[Results of]\"; content:\"|0d 0a|Results of '\"; content:\"' execution:|0a 0a|\"; distance:1; within:256; fast_pattern; content:!\"|0d 0a|Referer: \"; content:!\"|0d 0a|User-Agent: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; sid: 999999999; )]" ,
"pattern_type" : "snort" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T09:01:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"snort\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--baccb07a-3ac5-4a08-89d0-5c02114ad60b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T09:01:21.000Z" ,
"modified" : "2021-04-21T09:01:21.000Z" ,
"pattern" : "[alert tcp any $HTTP_PORTS -> any any ( msg:\"APT.Webshell.PL.STEADYPULSE. .[Results of]\"; flow:to_client; content:\"Results of '\"; content:\"' execution:|0a 0a|\"; distance:1; within:256; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; reference:date_created,2021-04-16; sid: 999999999; fast_pattern; )]" ,
"pattern_type" : "snort" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T09:01:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "Network activity"
}
] ,
"labels" : [
"misp:type=\"snort\"" ,
"misp:category=\"Network activity\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "x-misp-object" ,
"spec_version" : "2.1" ,
"id" : "x-misp-object--57ffce5f-60a8-40ae-b11e-624ca218704d" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:08:50.000Z" ,
"modified" : "2021-04-21T08:08:50.000Z" ,
"labels" : [
"misp:name=\"report\"" ,
"misp:meta-category=\"misc\""
] ,
"x_misp_attributes" : [
{
"type" : "link" ,
"object_relation" : "link" ,
"value" : "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" ,
"category" : "External analysis" ,
"uuid" : "4fa4a70a-3aff-4432-ac42-9409399e196d"
} ,
{
"type" : "text" ,
"object_relation" : "summary" ,
"value" : "Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.\r\n This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells.\r\n The investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector.\r\n Pulse Secure\u2019s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the Pulse Connect Secure Integrity Tool for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021.\r\n Pulse Secure has been working closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues.\r\n There is no indication the identified backdoors were introduced through a supply chain compromise of the company\u2019s network or software deployment process." ,
"category" : "Other" ,
"uuid" : "eebfc2b8-6467-4cdd-8a31-041708d20a55"
}
] ,
"x_misp_meta_category" : "misc" ,
"x_misp_name" : "report"
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--6854614c-df9f-4bb5-8de0-857c943be550" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:15:06.000Z" ,
"modified" : "2021-04-21T08:15:06.000Z" ,
"description" : "SLOWPULSE V1 - libdsplibs.so " ,
"pattern" : "[file:hashes.MD5 = '23ff4df644aa408d6a074eb8fa9f0da3' AND file:hashes.SHA256 = 'cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:15:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--874ca0e5-827e-43f8-99f5-a2a5aa60e672" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:17:02.000Z" ,
"modified" : "2021-04-21T08:17:02.000Z" ,
"description" : "SLOWPULSE V2 \r\nlibdsplibs.so " ,
"pattern" : "[file:hashes.MD5 = '8bf3ebe60f393f4c2fe0bbeb4976fc46' AND file:hashes.SHA256 = '1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd' AND file:name = 'libdsplibs.so']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:17:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--cd13cfd7-f4dc-4864-9009-30baa29551a6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:17:49.000Z" ,
"modified" : "2021-04-21T08:17:49.000Z" ,
"description" : "SLOWPULSE V3 \r\nlibdsplibs.so " ,
"pattern" : "[file:hashes.MD5 = '8f5d87592f68d8350656f722f6f21e10' AND file:hashes.SHA256 = 'b1c2368773259fbfef425e0bb716be958faa7e74b3282138059f511011d3afd9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:17:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--1d87313f-7519-4748-bfb1-fc8b60906cf6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:19:22.000Z" ,
"modified" : "2021-04-21T08:19:22.000Z" ,
"description" : "SLOWPULSE V2 Patcher \r\nunknown " ,
"pattern" : "[file:hashes.MD5 = '32a9bc24c6670a3cf880a8c0c9e9dfaf' AND file:hashes.SHA256 = 'c9b323b9747659eac25cec078895d75f016e26a8b5858567c7fb945b7321722c']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:19:22Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--0b65ad47-db4b-4f58-a33c-e671746afa05" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:20:00.000Z" ,
"modified" : "2021-04-21T08:20:00.000Z" ,
"description" : "SLOWPULSE V3 Patcher \r\nunknown " ,
"pattern" : "[file:hashes.MD5 = '6272aa2f8f47e2a63f138d81e69fdba7' AND file:hashes.SHA256 = '06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:20:00Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5c9a0062-ee55-43b0-ad64-3c5f6fdf3d01" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:20:45.000Z" ,
"modified" : "2021-04-21T08:20:45.000Z" ,
"description" : "SLOWPULSE V4 Patcher \r\nunknown " ,
"pattern" : "[file:hashes.MD5 = 'beff02edb0f6a7c2b341aa780e88a48c' AND file:hashes.SHA256 = 'e63ab6f82c711e4ecc8f5b36046eb7ea216f41eb90158165b82a6c90560ea415']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:20:45Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--efd7b1ec-0fff-498a-ad64-d1d259ebbf82" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:21:24.000Z" ,
"modified" : "2021-04-21T08:21:24.000Z" ,
"description" : "SLOWPULSE V4 UnPatcher \r\nunknown " ,
"pattern" : "[file:hashes.MD5 = 'ece3e2a6b6e3531b50cc74c7f87cdc8d' AND file:hashes.SHA256 = 'b2350954b9484ae4eac42b95fae6edf7a126169d0b93d79f49d36c5e6497062a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:21:24Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--35ae369e-4ab2-447c-819c-c366f547ca9c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:22:02.000Z" ,
"modified" : "2021-04-21T08:22:02.000Z" ,
"description" : "PULSECHECK \r\nsecid_canceltoken.cgi" ,
"pattern" : "[file:hashes.MD5 = '33c4947efe66ce8c175464b4e262fe16' AND file:hashes.SHA256 = 'a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:22:02Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5f99e163-f31e-4994-8a56-4b249d894012" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:22:48.000Z" ,
"modified" : "2021-04-21T08:22:48.000Z" ,
"description" : "PULSECHECK \r\nCompcheckjs.cgi " ,
"pattern" : "[file:hashes.MD5 = '9aa378cbec161ccd168be212c8856749' AND file:hashes.SHA256 = '6f4dec58548f5193b5e511ecc3c63154ae3c93f9345661a774cb69a1ce16c577']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:22:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--0690ab34-3ffe-4d37-b6a7-4ce477d4de60" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:23:37.000Z" ,
"modified" : "2021-04-21T08:23:37.000Z" ,
"description" : "RADIALPULSE \r\napac_login.cgiunknown \r\n" ,
"pattern" : "[file:hashes.MD5 = '1cd91b74f8d2d2fe952a97e9040073d8' AND file:hashes.SHA256 = 'd72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:23:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--30408119-108d-495f-89ca-cbe1dcf0b68b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:24:18.000Z" ,
"modified" : "2021-04-21T08:24:18.000Z" ,
"description" : "RADIALPULSE \r\nbasicauth_userpass.cgi " ,
"pattern" : "[file:hashes.MD5 = '4a2a7cbc1c8855199a27a7a7b51d0117' AND file:hashes.SHA256 = '293cc71af317593e0e5d9f8c6fd7a732977c63174becc8dedadf8f8f4cc9c922']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:24:18Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--c0b88e1a-d76c-4226-bffa-45ca59bc2fa9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:25:06.000Z" ,
"modified" : "2021-04-21T08:25:06.000Z" ,
"description" : "RADIALPULSE \r\ndswebserver.sh " ,
"pattern" : "[file:hashes.MD5 = '4d416e551821ccce8bc9c4457d10573b' AND file:hashes.SHA256 = 'b72fdae94e78fe51205966179573693c01eae98ece228af13041855cc4e255b1']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:25:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--dbab04b4-1df0-4055-be1a-2ad6d47b15de" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:25:48.000Z" ,
"modified" : "2021-04-21T08:25:48.000Z" ,
"description" : "RADIALPULSE \r\nunknown \r\n" ,
"pattern" : "[file:hashes.MD5 = '558090216cf8199802f11da4f70db897' AND file:hashes.SHA256 = 'dea123cd0a48f01ef9176946f11e4b2b23218018ebcea7ff08d552f88906c52d']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:25:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5279454c-137c-4df2-ab40-d4f67be95f40" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:26:26.000Z" ,
"modified" : "2021-04-21T08:26:26.000Z" ,
"description" : "RADIALPULSE \r\nlogin.cgi " ,
"pattern" : "[file:hashes.MD5 = '56e2a1566c7989612320f4ef1669e7d5' AND file:hashes.SHA256 = 'e9df4e13131c95c75ca41a95e08599b3d480e5e7a7922ff0a3fa00bef3bd6561']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:26:26Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--61f23a4d-8a5f-4a4c-b846-4f87797fbb1a" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:27:19.000Z" ,
"modified" : "2021-04-21T08:27:19.000Z" ,
"description" : "RADIALPULSE \r\nlogin.cgi " ,
"pattern" : "[file:hashes.MD5 = '6c63b5c747e8e351426777b7de94da7c' AND file:hashes.SHA256 = '61f9f6ae26bd3f4d6632bcc722022079aab1ef1d3ddeb71f0f7db2f14aed4ce4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:27:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--44e27409-7862-42be-bf2b-4d18fa27243f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:29:10.000Z" ,
"modified" : "2021-04-21T08:29:10.000Z" ,
"description" : "RADIALPULSE \r\nrd.cgi " ,
"pattern" : "[file:hashes.MD5 = '957ca40755de8f1f68602476a62799f9' AND file:hashes.SHA256 = 'b482dc4d07e0c11d047c25af3bd239b9c57eaa8648cebf639369ec143297b96a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:29:10Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--3347af09-6558-4e07-ac68-c7abe87079b9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:29:54.000Z" ,
"modified" : "2021-04-21T08:29:54.000Z" ,
"description" : "RADIALPULSE \r\nuserpass.cgi " ,
"pattern" : "[file:hashes.MD5 = 'd21705be48b4b38a66e731f6d4125708' AND file:hashes.SHA256 = 'd61d98a3a68a5a35d49c5c7a43d11d3e22bdb7d26bffb6f5aded83c07c90633a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:29:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--ec665abd-0414-4647-b4cd-9fa22e979ab8" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:32:21.000Z" ,
"modified" : "2021-04-21T08:32:21.000Z" ,
"description" : "PACEMAKER \r\nmemread \r\n" ,
"pattern" : "[file:hashes.MD5 = 'd7881c4de4d57828f7e1cab15687274b' AND file:hashes.SHA256 = '68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:32:21Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--3e50f8b8-0dbc-4bec-80de-30e325671f95" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:34:27.000Z" ,
"modified" : "2021-04-21T08:34:27.000Z" ,
"description" : "PACEMAKER Launcher Utility \r\nunknown\r\n" ,
"pattern" : "[file:hashes.MD5 = '4cb9bb1cdc1931c738843f7dfe63f5c4' AND file:hashes.SHA256 = '4c5555955b2e6dc55f52b0c1a3326f3d07b325b112060329c503b294208960ec']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:34:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--2620c50d-6305-45cb-8aff-e37d50425358" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:35:12.000Z" ,
"modified" : "2021-04-21T08:35:12.000Z" ,
"description" : "THINBLOOD \r\ndsclslog " ,
"pattern" : "[file:hashes.MD5 = 'f38fe97c2a7419e62ce72439bdbb85b5' AND file:hashes.SHA256 = '88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:35:12Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--cfaa4938-1778-45cd-b95a-61be8ba0837e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:36:11.000Z" ,
"modified" : "2021-04-21T08:36:11.000Z" ,
"description" : "THINBLOOD Variant \r\nclear_log.sh " ,
"pattern" : "[file:hashes.MD5 = 'ecbd062c45d5fd38bb7f58289a8f5c86' AND file:hashes.SHA256 = '1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:36:11Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--0da707a9-b329-4d30-b907-01fe6c1de17c" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:36:48.000Z" ,
"modified" : "2021-04-21T08:36:48.000Z" ,
"description" : "SLIGHTPULSE \r\nmeeting_testjs.cgi " ,
"pattern" : "[file:hashes.MD5 = '57df2d9468b66d7585f79b12d4249f22' AND file:hashes.SHA256 = '133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:36:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--df51083d-32e2-4812-89bb-f7036472920e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:37:33.000Z" ,
"modified" : "2021-04-21T08:37:33.000Z" ,
"description" : "ATRIUM \r\ncompcheckresult.cgi " ,
"pattern" : "[file:hashes.MD5 = 'ca0175d86049fa7c796ea06b413857a3' AND file:hashes.SHA256 = 'f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:37:33Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--5151611d-c11d-47cf-9a9c-5ef132b1a303" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:38:13.000Z" ,
"modified" : "2021-04-21T08:38:13.000Z" ,
"description" : "ATRIUM \r\ndo-install " ,
"pattern" : "[file:hashes.MD5 = 'a631b7a8a11e6df3fccb21f4d34dbd8a' AND file:hashes.SHA256 = '2202234643bcd4807f21fbe4eb9ef3be9a6857ef92fd5979abb2b97b3c113966']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:38:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--298449a1-8e86-409c-96fb-0c225d9f98a9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:39:25.000Z" ,
"modified" : "2021-04-21T08:39:25.000Z" ,
"description" : "Persistence Patcher (ATRIUM)\r\nDSUpgrade.pm " ,
"pattern" : "[file:hashes.MD5 = 'd2ef3894c6e46453b7d9416ff0d4d6cc' AND file:hashes.SHA256 = '224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:39:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--cf564f32-56e9-4fe0-87ac-5e5df91b0c9f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:40:31.000Z" ,
"modified" : "2021-04-21T08:40:31.000Z" ,
"description" : "Persistence Patcher (ATRIUM)\r\nDSUpgrade.pm " ,
"pattern" : "[file:hashes.MD5 = 'd855ebd2adeaf2b3c87b28e77e9ce4d4' AND file:hashes.SHA256 = 'a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:40:31Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--bbcc14ea-c7fc-4b15-a020-b619641add7e" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:41:23.000Z" ,
"modified" : "2021-04-21T08:41:23.000Z" ,
"description" : "Persistence Patcher (STEADYPULSE)\r\nDSUpgrade.pm" ,
"pattern" : "[file:hashes.MD5 = '5009b307214abc4ba5e24fa99133b934' AND file:hashes.SHA256 = '64c87520565165ac95b74d6450b3ab8379544933dd3e2f2c4dc9b03a3ec570a7']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:41:23Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--60b5f9a7-ffa3-4d56-a1a7-6642638be3e6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:42:01.000Z" ,
"modified" : "2021-04-21T08:42:01.000Z" ,
"description" : "Persistence Patcher (PULSECHECK)\r\nDSUpgrade.pm" ,
"pattern" : "[file:hashes.MD5 = 'de9184422b477ca3b6aae536979e8626' AND file:hashes.SHA256 = '705cda7d1ace8f4adeec5502aa311620b8d6c64046a1aed2ae833e2f2835154f']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:42:01Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--04323a10-ee75-43ae-9150-001fe9a27ab7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:42:56.000Z" ,
"modified" : "2021-04-21T08:42:56.000Z" ,
"description" : "Persistence Patcher (UNKNOWN)\r\nDSUpgrade.pm" ,
"pattern" : "[file:hashes.MD5 = '22cc57df424cac79f5bf78109a443523' AND file:hashes.SHA256 = '78d7c7c9f800f6824f63a99d935a4ad0112f97953d8c100deb29dae24d7da282']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:42:56Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--bbdbb662-a8b1-4c13-85f2-898abde6d3f9" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:43:34.000Z" ,
"modified" : "2021-04-21T08:43:34.000Z" ,
"description" : "LOCKPICK \r\nlibcrypto.so " ,
"pattern" : "[file:hashes.MD5 = 'e8bfd3f5a2806104316902bbe1195ee8' AND file:hashes.SHA256 = '2610d0372e0e107053bc001d278ef71f08562e5610691f18b978123c499a74d8']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:43:34Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b4a44973-985c-4058-b968-9cd867f1bef6" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:44:13.000Z" ,
"modified" : "2021-04-21T08:44:13.000Z" ,
"description" : "LOCKPICK Patcher\r\nunknown" ,
"pattern" : "[file:hashes.MD5 = '0ac5571f69a1cb17110d7c5af772a5eb' AND file:hashes.SHA256 = 'b990f79ce80c24625c97810cb8f161eafdcb10f1b8d9d538df4ca9be387c35e4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:44:13Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--ca389b0d-fbe4-42bc-96e3-56b5f4886c9b" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:44:58.000Z" ,
"modified" : "2021-04-21T08:44:58.000Z" ,
"description" : "HARDPULSE \r\ncompcheckjava.cgi" ,
"pattern" : "[file:hashes.MD5 = '980cba9e82faf194edb6f3cc20dc73ff' AND file:hashes.SHA256 = '1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:44:58Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--34384af6-0071-435b-84c1-bf8c3420cd08" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:45:48.000Z" ,
"modified" : "2021-04-21T08:45:48.000Z" ,
"description" : "PULSEJUMP \r\nunknown " ,
"pattern" : "[file:hashes.MD5 = '91ee23ee24e100ba4a943bb4c15adb4c' AND file:hashes.SHA256 = '7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:45:48Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--1fc8066f-98aa-4e70-b4ee-0710931cdac7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:46:29.000Z" ,
"modified" : "2021-04-21T08:46:29.000Z" ,
"description" : "QUIETPULSE \r\ndsserver " ,
"pattern" : "[file:hashes.MD5 = '00575bec8d74e221ff6248228c509a16' AND file:hashes.SHA256 = '9f6ac39707822d243445e30d27b8404466aa69c61119d5308785bf4a464a9ebd']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:46:29Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--447d890e-3529-486e-b4f8-704b813d745f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:47:44.000Z" ,
"modified" : "2021-04-21T08:47:44.000Z" ,
"description" : "QUIETPULSE \r\ndshelper " ,
"pattern" : "[file:hashes.MD5 = '82e77d7ad4d39ed71981a3ddca4ff225' AND file:hashes.SHA256 = 'c774eca633136de35c9d2cd339a3b5d29f00f761657ea2aa438de4f33e4bbba4']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:47:44Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--7bd70c6d-d345-45f3-a8ac-00e4a2149cea" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:48:25.000Z" ,
"modified" : "2021-04-21T08:48:25.000Z" ,
"description" : "STEADYPULSE \r\nlicenseserverproto.cgi " ,
"pattern" : "[file:hashes.MD5 = 'fb21828f490561810c205241b367095e' AND file:hashes.SHA256 = '168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc']" ,
"pattern_type" : "stix" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:48:25Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "file"
}
] ,
"labels" : [
"misp:name=\"file\"" ,
"misp:meta-category=\"file\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--8f5eaca0-34a1-4e85-b6b3-8082bce62175" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:49:54.000Z" ,
"modified" : "2021-04-21T08:49:54.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_Webshell_PL_ATRIUM_1\r\n{\r\n meta:\r\n author = \\\\\"Mandiant\\\\\"\r\n date_created = \\\\\"2021-04-16\\\\\"\r\n md5 = \\\\\"ca0175d86049fa7c796ea06b413857a3\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings:\r\n $s1 = \\\\\"CGI::param(\\\\\"\r\n $s2 = \\\\\"system(\\\\\"\r\n $s3 = /if[\\\\x09\\\\x20]{0,32}\\\\(CGI::param\\\\([\\\\x22\\\\x27]\\\\w{1,64}[\\\\x22\\\\x27]\\\\)\\\\)\\\\s{0,128}\\\\{[\\\\x09\\\\x20]{0,32}print [\\\\x22\\\\x27]Cache-Control: no-cache\\\\\\\\n[\\\\x22\\\\x27][\\\\x09\\\\x20]{0,32};\\\\s{0,128}print [\\\\x22\\\\x27]Content-type: text\\\\/html\\\\\\\\n\\\\\\\\n[\\\\x22\\\\x27][\\\\x09\\\\x20]{0,32};\\\\s{0,128}my \\\\$\\\\w{1,64}[\\\\x09\\\\x20]{0,32}=[\\\\x09\\\\x20]{0,32}CGI::param\\\\([\\\\x22\\\\x27]\\\\w{1,64}[\\\\x22\\\\x27]\\\\)[\\\\x09\\\\x20]{0,32};\\\\s{0,128}system\\\\([\\\\x22\\\\x27]\\\\$/\r\n condition:\r\n all of them\r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:49:54Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--4f5204e2-efbe-4200-8f2c-bc6ebbb952da" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:50:30.000Z" ,
"modified" : "2021-04-21T08:50:30.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_Trojan_SH_ATRIUM_1\r\n{\r\n meta:\r\n author = \\\\\"Mandiant\\\\\"\r\n date_created = \\\\\"2021-04-16\\\\\"\r\n md5 = \\\\\"a631b7a8a11e6df3fccb21f4d34dbd8a\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings:\r\n $s1 = \\\\\"CGI::param(\\\\\"\r\n $s2 = \\\\\"Cache-Control: no-cache\\\\\"\r\n $s3 = \\\\\"system(\\\\\"\r\n $s4 = /sed -i [^\\\\r\\\\n]{1,128}CGI::param\\\\([^\\\\r\\\\n]{1,128}print[\\\\x20\\\\x09]{1,32}[^\\\\r\\\\n]{1,128}Cache-Control: no-cache[^\\\\r\\\\n]{1,128}print[\\\\x20\\\\x09]{1,32}[^\\\\r\\\\n]{1,128}Content-type: text\\\\/html[^\\\\r\\\\n]{1,128}my [^\\\\r\\\\n]{1,128}=[\\\\x09\\\\x20]{0,32}CGI::param\\\\([^\\\\r\\\\n]{1,128}system\\\\(/\r\n condition:\r\n all of them\r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:50:30Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--c73a7441-1444-42a9-974d-3f3e64168bcc" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:51:03.000Z" ,
"modified" : "2021-04-21T08:51:03.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_HARDPULSE \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"980cba9e82faf194edb6f3cc20dc73ff\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $r1 = /if[\\\\x09\\\\x20]{0,32}\\\\(\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{1,32}eq[\\\\x09\\\\x20]{1,32}[\\\\x22\\\\x27]\\\\w{1,64}[\\\\x22\\\\x27]\\\\)\\\\s{0,128}\\\\{\\\\s{1,128}my[\\\\x09\\\\x20]{1,32}\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{0,32}\\\\x3b\\\\s{1,128}unless[\\\\x09\\\\x20]{0,32}\\\\(open\\\\(\\\\$\\\\w{1,64},[\\\\x09\\\\x20]{0,32}\\\\$\\\\w{1,64}\\\\)\\\\)\\\\s{0,128}\\\\{\\\\s{1,128}goto[\\\\x09\\\\x20]{1,32}\\\\w{1,64}[\\\\x09\\\\x20]{0,32}\\\\x3b\\\\s{1,128}return[\\\\x09\\\\x20]{1,32}0[\\\\x09\\\\x20]{0,32}\\\\x3b\\\\s{0,128}\\\\}/ \r\n $r2 = /open[\\\\x09\\\\x20]{0,32}\\\\(\\\\*\\\\w{1,64}[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>/ \r\n $r3 = /if[\\\\x09\\\\x20]{0,32}\\\\(\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{1,32}eq[\\\\x09\\\\x20]{1,32}[\\\\x22\\\\x27]\\\\w{1,64}[\\\\x22\\\\x27]\\\\)\\\\s{0,128}\\\\{\\\\s{1,128}print[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]Content-type/ \r\n $s1 = \\\\\"CGI::request_method()\\\\\" \r\n $s2 = \\\\\"CGI::param(\\\\\" \r\n $s3 = \\\\\"syswrite(\\\\\" \r\n $s4 = \\\\\"print $_\\\\\" \r\n condition: \r\n all of them \r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:51:03Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--642cf927-5c24-4846-b8a7-5b895c87594f" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:51:36.000Z" ,
"modified" : "2021-04-21T08:51:36.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux32_LOCKPICK_1\r\n{\r\n meta:\r\n author = \\\\\"Mandiant\\\\\"\r\n date_created = \\\\\"2021-04-16\\\\\"\r\n md5 = \\\\\"e8bfd3f5a2806104316902bbe1195ee8\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings:\r\n $sb1 = { 83 ?? 63 0F 84 [4] 8B 45 ?? 83 ?? 01 89 ?? 24 89 44 24 04 E8 [4] 85 C0 }\r\n $sb2 = { 83 [2] 63 74 ?? 89 ?? 24 04 89 ?? 24 E8 [4] 83 [2] 01 85 C0 0F [5] EB 00 8B ?? 04 83 F8 02 7? ?? 83 E8 01 C1 E0 02 83 C0 00 89 44 24 08 8D 83 [4] 89 44 24 04 8B ?? 89 04 24 E8 }\r\n condition:\r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and (@sb1[1] < @sb2[1])\r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:51:36Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--c7b0b3ec-3c74-4329-abc4-0d4414228f90" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:52:09.000Z" ,
"modified" : "2021-04-21T08:52:09.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux32_PACEMAKER \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"d7881c4de4d57828f7e1cab15687274b\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $s1 = \\\\\"\\\\x00/proc/\\\\%d/mem\\\\x00\\\\\" \r\n $s2 = \\\\\"\\\\x00/proc/\\\\%s/maps\\\\x00\\\\\" \r\n $s3 = \\\\\"\\\\x00/proc/\\\\%s/cmdline\\\\x00\\\\\" \r\n $sb1 = { C7 44 24 08 10 00 00 00 C7 44 24 04 00 00 00 00 8D 45 E0 89 04 24 E8 [4] 8B 45 F4 83 C0 0B C7 44 24 08 10 00 00 00 89 44 24 04 8D 45 E0 89 04 24 E8 [4] 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] EB } \r\n $sb2 = { 8B 95 [4] B8 [4] 8D 8D [4] 89 4C 24 10 8D 8D [4] 89 4C 24 0C 89 54 24 08 89 44 24 04 8D 85 [4] 89 04 24 E8 [4] C7 44 24 08 02 00 00 00 C7 44 24 04 00 00 00 00 8B 45 ?? 89 04 24 E8 [4] 89 45 ?? 8D 85 [4] 89 04 24 E8 [4] 89 44 24 08 8D 85 [4] 89 44 24 04 8B 45 ?? 89 04 24 E8 [4] 8B 45 ?? 89 45 ?? C7 45 ?? 00 00 00 00 [0-16] 83 45 ?? 01 8B 45 ?? 3B 45 0C } \r\n condition: \r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them \r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:52:09Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--76f29c1c-c880-4baa-be5a-cecf57c18d38" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:52:37.000Z" ,
"modified" : "2021-04-21T08:52:37.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux_PACEMAKER \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"d7881c4de4d57828f7e1cab15687274b\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $s1 = \\\\\"\\\\x00Name:\\\\%s || Pwd:\\\\%s || AuthNum:\\\\%s\\\\x0a\\\\x00\\\\\" \r\n $s2 = \\\\\"\\\\x00/proc/\\\\%d/mem\\\\x00\\\\\" \r\n $s3 = \\\\\"\\\\x00/proc/\\\\%s/maps\\\\x00\\\\\" \r\n $s4 = \\\\\"\\\\x00/proc/\\\\%s/cmdline\\\\x00\\\\\" \r\n condition: \r\n (uint32(0) == 0x464c457f) and all of them \r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:52:37Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--12ee2578-f80b-4db9-b7c5-75c5f05215f2" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:53:06.000Z" ,
"modified" : "2021-04-21T08:53:06.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_PULSECHECK_1 \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n sha256 = \\\\\"a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $r1 = /while[\\\\x09\\\\x20]{0,32}\\\\(<\\\\w{1,64}>\\\\)[\\\\x09\\\\x20]{0,32}\\\\{\\\\s{1,256}\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{0,32}\\\\.=[\\\\x09\\\\x20]{0,32}\\\\$_;\\\\s{0,256}\\\\}/ \r\n $s1 = \\\\\"use Crypt::RC4;\\\\\" \r\n $s2 = \\\\\"use MIME::Base64\\\\\" \r\n $s3 = \\\\\"MIME::Base64::decode(\\\\\" \r\n $s4 = \\\\\"popen(\\\\\" \r\n $s5 = \\\\\" .= $_;\\\\\" \r\n $s6 = \\\\\"print MIME::Base64::encode(RC4(\\\\\" \r\n $s7 = \\\\\"HTTP_X_\\\\\" \r\n condition: \r\n $s1 and $s2 and (@s3[1] < @s4[1]) and (@s4[1] < @s5[1]) and (@s5[1] < @s6[1]) and (#s7 > 2) and $r1 \r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:53:06Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--ef28ce31-93a2-48a8-8ed8-b56b8caf60a7" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:53:49.000Z" ,
"modified" : "2021-04-21T08:53:49.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_PULSEJUMP_1\r\n{\r\n meta:\r\n author = \\\\\"Mandiant\\\\\"\r\n date_created = \\\\\"2021-04-16\\\\\"\r\n md5 = \\\\\"91ee23ee24e100ba4a943bb4c15adb4c\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings:\r\n $s1 = \\\\\"open(\\\\\"\r\n $s2 = \\\\\">>/tmp/\\\\\"\r\n $s3 = \\\\\"syswrite(\\\\\"\r\n $s4 = /\\\\}[\\\\x09\\\\x20]{0,32}elsif[\\\\x09\\\\x20]{0,32}\\\\([\\\\x09\\\\x20]{0,32}\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{1,32}eq[\\\\x09\\\\x20]{1,32}[\\\\x22\\\\x27](Radius|Samba|AD)[\\\\x22\\\\x27][\\\\x09\\\\x20]{0,32}\\\\)\\\\s{0,128}\\\\{\\\\s{0,128}@\\\\w{1,64}[\\\\x09\\\\x20]{0,32}=[\\\\x09\\\\x20]{0,32}&/\r\n condition:\r\n all of them\r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:53:49Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--d11dc00d-249a-4b44-a70d-8d1912c6b012" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:54:19.000Z" ,
"modified" : "2021-04-21T08:54:19.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_QUIETPULSE \r\n{\r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"00575bec8d74e221ff6248228c509a16\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $s1 = /open[\\\\x09\\\\x20]{0,32}\\\\(\\\\*STDOUT[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>&CLIENT[\\\\x22\\\\x27]\\\\)/ \r\n $s2 = /open[\\\\x09\\\\x20]{0,32}\\\\(\\\\*STDERR[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>&CLIENT[\\\\x22\\\\x27]\\\\)/ \r\n $s3 = /socket[\\\\x09\\\\x20]{0,32}\\\\(SERVER[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}PF_UNIX[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}SOCK_STREAM[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}0[\\\\x09\\\\x20]{0,32}\\\\)[\\\\x09\\\\x20]{0,32};\\\\s{0,128}unlink/ \r\n $s4 = /bind[\\\\x09\\\\x20]{0,32}\\\\([\\\\x09\\\\x20]{0,32}SERVER[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}sockaddr_un\\\\(/ \r\n $s5 = /listen[\\\\x09\\\\x20]{0,32}\\\\([\\\\x09\\\\x20]{0,32}SERVER[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}SOMAXCONN[\\\\x09\\\\x20]{0,32}\\\\)[\\\\x09\\\\x20]{0,32};/ \r\n $s6 = /my[\\\\x09\\\\x20]{1,32}\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{0,32}=[\\\\x09\\\\x20]{0,32}fork\\\\([\\\\x09\\\\x20]{0,32}\\\\)[\\\\x09\\\\x20]{0,32};\\\\s{1,128}if[\\\\x09\\\\x20]{0,32}\\\\([\\\\x09\\\\x20]{0,32}\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{0,32}==[\\\\x09\\\\x20]{0,32}0[\\\\x09\\\\x20]{0,32}\\\\)[\\\\x09\\\\x20]{0,32}\\\\{\\\\s{1,128}exec\\\\(/ \r\n condition: \r\n all of them \r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:54:19Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b78852fc-95f7-4ec5-a7ed-e001320e19b4" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:54:52.000Z" ,
"modified" : "2021-04-21T08:54:52.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_1 \r\n{\r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n sha256 = \\\\\"d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\" \r\n strings: \r\n $s1 = \\\\\"->getRealmInfo()->{name}\\\\\" \r\n $s2 = /open\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>>/ \r\n $s3 = /syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]realm=\\\\$/ \r\n $s4 = /syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]username=\\\\$/ \r\n $s5 = /syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]password=\\\\$/ \r\n condition: \r\n (@s1[1] < @s2[1]) and (@s2[1] < @s3[1]) and $s4 and $s5 \r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:54:52Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--9df4fc8c-7277-4488-9f3b-ff2a0f51aa66" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:55:20.000Z" ,
"modified" : "2021-04-21T08:55:20.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_2 \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"4a2a7cbc1c8855199a27a7a7b51d0117\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $s1 = \\\\\"open(*fd,\\\\\" \r\n $s2 = \\\\\"syswrite(*fd,\\\\\" \r\n $s3 = \\\\\"close(*fd);\\\\\" \r\n $s4 = /open\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>>\\\\/tmp\\\\/[\\\\w.]{1,128}[\\\\x22\\\\x27]\\\\);[\\\\x09\\\\x20]{0,32}syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}/ \r\n $s5 = /syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27][\\\\w]{1,128}=\\\\$\\\\w{1,128} ?[\\\\x22\\\\x27],[\\\\x09\\\\x20]{0,32}5000\\\\)/ \r\n condition: \r\n all of them \r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:55:20Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--b79a5423-1769-4be7-a580-909c99a08598" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:55:55.000Z" ,
"modified" : "2021-04-21T08:55:55.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_3 \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"4a2a7cbc1c8855199a27a7a7b51d0117\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $s1 = \\\\\"open(*fd,\\\\\" \r\n $s2 = \\\\\"syswrite(*fd,\\\\\" \r\n $s3 = \\\\\"close(*fd);\\\\\" \r\n $s4 = /open\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>>\\\\/tmp\\\\/dsstartssh\\\\.statementcounters[\\\\x22\\\\x27]\\\\);[\\\\x09\\\\x20]{0,32}syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}/ \r\n $s5 = /syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27][\\\\w]{1,128}=\\\\$username ?[\\\\x22\\\\x27],[\\\\x09\\\\x20]{0,32}\\\\d{4}\\\\)/ \r\n condition: \r\n all of them \r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:55:55Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--17e7dce5-405d-4cf1-8d2f-9f3de6653c75" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:56:27.000Z" ,
"modified" : "2021-04-21T08:56:27.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Backdoor_Linux32_SLOWPULSE_1 \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\"\r\n sha256 = \\\\\"cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\" \r\n strings: \r\n $sb1 = {FC b9 [4] e8 00 00 00 00 5? 8d b? [4] 8b} \r\n $sb2 = {f3 a6 0f 85 [4] b8 03 00 00 00 5? 5? 5?} \r\n $sb3 = {9c 60 e8 00 00 00 00 5? 8d [5] 85 ?? 0f 8?} \r\n $sb4 = {89 13 8b 51 04 89 53 04 8b 51 08 89 53 08} \r\n $sb5 = {8d [5] b9 [4] f3 a6 0f 8?} \r\n condition: \r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them \r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:56:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--95be007c-e7a2-45a6-a1ff-d0f334e662da" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:56:57.000Z" ,
"modified" : "2021-04-21T08:56:57.000Z" ,
"pattern" : "rule FE_APT_Backdoor_Linux32_SLOWPULSE_2\r\n{ \r\n meta: \r\n author = \\\\\"Strozfriedberg\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\"\r\n sha256 = \\\\\"cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\" \r\n strings: \r\n $sig = /[\\\\x20-\\\\x7F]{16}([\\\\x20-\\\\x7F\\\\x00]+)\\\\x00.{1,32}\\\\xE9.{3}\\\\xFF\\\\x00+[\\\\x20-\\\\x7F][\\\\x20-\\\\x7F\\\\x00]{16}/ \r\n\r\n // TOI_MAGIC_STRING \r\n $exc1 = /\\\\xED\\\\xC3\\\\x02\\\\xE9\\\\x98\\\\x56\\\\xE5\\\\x0C/ \r\n condition:\r\n uint32(0) == 0x464C457F and (1 of ($sig*)) and (not (1 of ($exc*)))\r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:56:57Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "indicator" ,
"spec_version" : "2.1" ,
"id" : "indicator--40e78b71-1425-4450-aa39-08ecaa30f0df" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:57:27.000Z" ,
"modified" : "2021-04-21T08:57:27.000Z" ,
"pattern" : "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_STEADYPULSE_1\r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n sha256 = \\\\\"168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\" \r\n strings: \r\n $s1 = \\\\\"parse_parameters\\\\\" \r\n $s2 = \\\\\"s/\\\\\\\\+/ /g\\\\\" \r\n $s3 = \\\\\"s/\\\\%(..)/pack(\\\\\" \r\n $s4 = \\\\\"MIME::Base64::encode($\\\\\" \r\n $s5 = \\\\\"$|=1;\\\\\" \r\n $s6 = \\\\\"RC4(\\\\\" \r\n $s7 = \\\\\"$FORM{\\'cmd\\'}\\\\\" \r\n condition: \r\n all of them \r\n}" ,
"pattern_type" : "yara" ,
"pattern_version" : "2.1" ,
"valid_from" : "2021-04-21T08:57:27Z" ,
"kill_chain_phases" : [
{
"kill_chain_name" : "misp-category" ,
"phase_name" : "misc"
}
] ,
"labels" : [
"misp:name=\"yara\"" ,
"misp:meta-category=\"misc\"" ,
"misp:to_ids=\"True\""
]
} ,
{
"type" : "note" ,
"spec_version" : "2.1" ,
"id" : "note--82e160db-f47a-433c-865a-fb667f3cff29" ,
"created_by_ref" : "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f" ,
"created" : "2021-04-21T08:10:03.000Z" ,
"modified" : "2021-04-21T08:10:03.000Z" ,
"abstract" : "Report from - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html (1618992558)" ,
"content" : " # C h e c k Y o u r P u l s e : S u s p e c t e d A P T A c t o r s L e v e r a g e A u t h e n t i c a t i o n B y p a s s T e c h n i q u e s a n d P u l s e S e c u r e Z e r o - D a y \ r \ n \ r \ n A p r i l 20 , 2021 | b y D a n P e r e z , S a r a h J o n e s , G r e g W o o d , S t e p h e n E c k e l s v u l n e r a b i l i t i e s \ r \ n M a l w a r e \ r \ n T T P s \ r \ n p e r s i s t e n c e \ r \ n b y p a s s \ r \ n \ r \ n # # # # E x e c u t i v e S u m m a r y \ r \ n \ r \ n \ r \ n * M a n d i a n t r e c e n t l y r e s p o n d e d t o m u l t i p l e s e c u r i t y i n c i d e n t s i n v o l v i n g c o m p r o m i s e s o f P u l s e S e c u r e V P N a p p l i a n c e s . \ r \ n * T h i s b l o g p o s t e x a m i n e s m u l t i p l e , r e l a t e d t e c h n i q u e s f o r b y p a s s i n g s i n g l e a n d m u l t i f a c t o r a u t h e n t i c a t i o n o n P u l s e S e c u r e V P N d e v i c e s , p e r s i s t i n g a c r o s s u p g r a d e s , a n d m a i n t a i n i n g a c c e s s t h r o u g h w e b s h e l l s . \ r \ n * T h e i n v e s t i g a t i o n b y P u l s e S e c u r e h a s d e t e r m i n e d t h a t a c o m b i n a t i o n o f p r i o r v u l n e r a b i l i t i e s a n d a p r e v i o u s l y u n k n o w n v u l n e r a b i l i t y d i s c o v e r e d i n A p r i l 2021 , C V E -2021 -22893 , a r e r e s p o n s i b l e f o r t h e i n i t i a l i n f e c t i o n v e c t o r . \ r \ n * P u l s e S e c u r e \ u 2019 s p a r e n t c o m p a n y , I v a n t i , r e l e a s e d m i t i g a t i o n s f o r a v u l n e r a b i l i t y e x p l o i t e d i n r e l a t i o n t o t h e s e m a l w a r e f a m i l i e s a n d t h e P u l s e C o n n e c t S e c u r e I n t e g r i t y T o o l f o r t h e i r c u s t o m e r s t o d e t e r m i n e i f t h e i r s y s t e m s a r e i m p a c t e d . A f i n a l p a t c h t o a d d r e s s t h e v u l n e r a b i l i t y w i l l b e a v a i l a b l e i n e a r l y M a y 2021 . \ r \ n * P u l s e S e c u r e h a s b e e n w o r k i n g c l o s e l y w i t h M a n d i a n t , a f f e c t e d c u s t o m e r s , g o v e r n m e n t p a r t n e r s , a n d o t h e r f o r e n s i c e x p e r t s t o a d d r e s s t h e s e i s s u e s . \ r \ n * T h e r e i s n o i n d i c a t i o n t h e i d e n t i f i e d b a c k d o o r s w e r e i n t r o d u c e d t h r o u g h a s u p p l y c h a i n c o m p r o m i s e o f t h e c o m p a n y \ u 2019 s n e t w o r k o r s o f t w a r e d e p l o y m e n t p r o c e s s . \ r \ n \ r \ n # # # # I n t r o d u c t i o n \ r \ n \ r \ n M a n d i a n t i s c u r r e n t l y t r a c k i n g 12 m a l w a r e f a m i l i e s a s s o c i a t e d w i t h t h e e x p l o i t a t i o n o f P u l s e S e c u r e V P N d e v i c e s . T h e s e f a m i l i e s a r e r e l a t e d t o t h e c i r c u m v e n t i o n o f a u t h e n t i c a t i o n a n d b a c k d o o r a c c e s s t o t h e s e d e v i c e s , b u t t h e y a r e n o t n e c e s s a r i l y r e l a t e d t o e a c h o t h e r a n d h a v e b e e n o b s e r v e d i n s e p a r a t e i n v e s t i g a t i o n s . I t i s l i k e l y t h a t m u l t i p l e a c t o r s a r e r e s p o n s i b l e f o r t h e c r e a t i o n a n d d e p l o y m e n t o f t h e s e v a r i o u s c o d e f a m i l i e s . \ r \ n \ r \ n T h e f o c u s o f t h i s r e p o r t i s o n t h e a c t i v i t i e s o f U N C 2630 a g a i n s t U . S . D e f e n s e I n d u s t r i a l b a s e ( D I B ) n e t w o r k s , b u t d e t a i l e d m a l w a r e a n a l y s i s a n d d e t e c t i o n m e t h o d s f o r a l l s a m p l e s o b s e r v e d a t U . S . a n d E u r o p e a n v i c t i m o r g a n i z a t i o n s a r e p r o v i d e d i n t h e t e c h n i c a l a n n e x t o a s s i s t n e t w o r k d e f e n d e r s i n i d e n t i f y i n g a l a r g e r a n g e o f m a l i c i o u s a c t i v i t y o n a f f e c t e d a p p l i a n c e s . A n a l y s i s i s o n g o i n g t o d e t e r m i n e t h e e x t e n t o f t h e a c t i v i t y . \ r \ n \ r \ n M a n d i a n t c o n t i n u e s t o c o l l a b o r a t e w i t h t h e I v a n t i a n d P u l s e S e c u r e t e a m s , M i c r o s o f t T h r e a t I n t e l l i g e n c e C e n t e r ( M S T I C ) , a n d r e l e v a n t g o v e r n m e n t a n d l a w e n f o r c e m e n t a g e n c i e s t o i n v e s t i g a t e t h e t h r e a t , a s w e l l a s d e v e l o p r e c o m m e n d a t i o n s a n d m i t i g a t i o n s f o r a f f e c t e d P u l s e S e c u r e V P N a p p l i a n c e o w n e r s . \ r \ n \ r \ n A s p a r t o f t h e i r i n v e s t i g a t i o n , I v a n t i h a s r e l e a s e d m i t i g a t i o n s f o r a v u l n e r a b i l i t y e x p l o i t e d i n r e l a t i o n t o t h i s c a m p a i g n a s w e l l a s t h e P u l s e C o n n e c t S e c u r e I n t e g r i t y T o o l t o a s s i s t w i t h d e t e r m i n i n g i f s y s t e m s h a v e b e e n i m p a c t e d . \ r \ n \ r \ n # # # # D e t a i l s \ r \ n \ r \ n E a r l y t h i s y e a r , M a n d i a n t i n v e s t i g a t e d m u l t i p l e i n t r u s i o n s a t d e f e n s e , g o v e r n m e n t , a n d f i n a n c i a l o r g a n i z a t i o n s a r o u n d t h e w o r l d . I n e a c h i n t r u s i o n , t h e e a r l i e s t e v i d e n c e o f a t t a c k e r a c t i v i t y t r a c e d b a c k t o D H C P I P a d d r e s s r a n g e s b e l o n g i n g t o P u l s e S e c u r e V P N a p p l i a n c e s i n t h e a f f e c t e d e n v i r o n m e n t . \ r \ n \ r \ n I n m a n y c a s e s , w e w e r e n o t a b l e t o d e t e r m i n e h o w a c t o r s o b t a i n e d a d m i n i s t r a t o r - l e v e l a c c e s s t o t h e a p p l i a n c e s . H o w e v e r , b a s e d o n a n a l y s i s b y I v a n t i , w e s u s p e c t s o m e i n t r u s i o n s w e r e d u e t o t h e e x p l o i t a t i o n o f p r e v i o u s l y d i s c l o s e d P u l s e S e c u r e v u l n e r a b i l i t i e s f r o m 2019 a n d 2020 w h i l e o t h e r i n t r u s i o n s w e r e d u e t o t h e e x p l o i t a t i o n o f C V E -2021 -22893 . \ r \ n \ r \ n W e o b s e r v e d U N C 2630 h a r v e s t i n g c r e d e n t i a l s f r o m v a r i o u s P u l s e S e c u r e V P N l o g i n f l o w s , w h i c h u l t i m a t e l y a l l o w e d t h e a c t o r t o u s e l e g i t i m a t e a c c o u n t c r e d e n t i a l s t o m o v e l a t e r a l l y i n t o t h e a f f e c t e d e n v i r o n m e n t s . I n o r d e r t o m a i n t a i n p e r s i s t e n c e t o t h e c o m p r o m i s e d n e t w o r k s , t h e a c t o r u t i l i z e d l e g i t i m a t e , b u t m o d i f i e d , P u l s e S e c u r e b i n a r i e s a n d s c r i p t s o n t h e V P N a p p l i a n c e . T h i s w a s d o n e t o a c c o m p l i s h t h e f o l l
"object_refs" : [
"report--b7f8805b-fec8-4491-b866-83a457212437"
]
} ,
{
"type" : "marking-definition" ,
"spec_version" : "2.1" ,
"id" : "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ,
"created" : "2017-01-20T00:00:00.000Z" ,
"definition_type" : "tlp" ,
"name" : "TLP:WHITE" ,
"definition" : {
"tlp" : "white"
}
}
2023-04-21 13:25:09 +00:00
]
}