misp-circl-feed/feeds/circl/stix-2.1/b7f8805b-fec8-4491-b866-83a457212437.json

1515 lines
No EOL
84 KiB
JSON

{
"type": "bundle",
"id": "bundle--b7f8805b-fec8-4491-b866-83a457212437",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T09:38:12.000Z",
"modified": "2021-04-21T09:38:12.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--b7f8805b-fec8-4491-b866-83a457212437",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T09:38:12.000Z",
"modified": "2021-04-21T09:38:12.000Z",
"name": "FireEye Mandiant PulseSecure Exploitation Countermeasures",
"published": "2021-04-21T09:38:28Z",
"object_refs": [
"observed-data--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04",
"url--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04",
"observed-data--5cb95524-3fef-4334-9fef-e6d3f00982a4",
"url--5cb95524-3fef-4334-9fef-e6d3f00982a4",
"indicator--d584973b-e85b-431b-a2f2-c3cd33562245",
"indicator--55301c17-7b0e-450d-89be-54eb3f096592",
"indicator--e8e292e5-5fab-4e5b-afa0-89df4eb361d6",
"indicator--4ad4982e-87bf-4edc-915b-4ad84f3b13eb",
"indicator--2b0bd4a3-3f4a-4e9a-b330-52a196385fc0",
"indicator--baccb07a-3ac5-4a08-89d0-5c02114ad60b",
"x-misp-object--57ffce5f-60a8-40ae-b11e-624ca218704d",
"indicator--6854614c-df9f-4bb5-8de0-857c943be550",
"indicator--874ca0e5-827e-43f8-99f5-a2a5aa60e672",
"indicator--cd13cfd7-f4dc-4864-9009-30baa29551a6",
"indicator--1d87313f-7519-4748-bfb1-fc8b60906cf6",
"indicator--0b65ad47-db4b-4f58-a33c-e671746afa05",
"indicator--5c9a0062-ee55-43b0-ad64-3c5f6fdf3d01",
"indicator--efd7b1ec-0fff-498a-ad64-d1d259ebbf82",
"indicator--35ae369e-4ab2-447c-819c-c366f547ca9c",
"indicator--5f99e163-f31e-4994-8a56-4b249d894012",
"indicator--0690ab34-3ffe-4d37-b6a7-4ce477d4de60",
"indicator--30408119-108d-495f-89ca-cbe1dcf0b68b",
"indicator--c0b88e1a-d76c-4226-bffa-45ca59bc2fa9",
"indicator--dbab04b4-1df0-4055-be1a-2ad6d47b15de",
"indicator--5279454c-137c-4df2-ab40-d4f67be95f40",
"indicator--61f23a4d-8a5f-4a4c-b846-4f87797fbb1a",
"indicator--44e27409-7862-42be-bf2b-4d18fa27243f",
"indicator--3347af09-6558-4e07-ac68-c7abe87079b9",
"indicator--ec665abd-0414-4647-b4cd-9fa22e979ab8",
"indicator--3e50f8b8-0dbc-4bec-80de-30e325671f95",
"indicator--2620c50d-6305-45cb-8aff-e37d50425358",
"indicator--cfaa4938-1778-45cd-b95a-61be8ba0837e",
"indicator--0da707a9-b329-4d30-b907-01fe6c1de17c",
"indicator--df51083d-32e2-4812-89bb-f7036472920e",
"indicator--5151611d-c11d-47cf-9a9c-5ef132b1a303",
"indicator--298449a1-8e86-409c-96fb-0c225d9f98a9",
"indicator--cf564f32-56e9-4fe0-87ac-5e5df91b0c9f",
"indicator--bbcc14ea-c7fc-4b15-a020-b619641add7e",
"indicator--60b5f9a7-ffa3-4d56-a1a7-6642638be3e6",
"indicator--04323a10-ee75-43ae-9150-001fe9a27ab7",
"indicator--bbdbb662-a8b1-4c13-85f2-898abde6d3f9",
"indicator--b4a44973-985c-4058-b968-9cd867f1bef6",
"indicator--ca389b0d-fbe4-42bc-96e3-56b5f4886c9b",
"indicator--34384af6-0071-435b-84c1-bf8c3420cd08",
"indicator--1fc8066f-98aa-4e70-b4ee-0710931cdac7",
"indicator--447d890e-3529-486e-b4f8-704b813d745f",
"indicator--7bd70c6d-d345-45f3-a8ac-00e4a2149cea",
"indicator--8f5eaca0-34a1-4e85-b6b3-8082bce62175",
"indicator--4f5204e2-efbe-4200-8f2c-bc6ebbb952da",
"indicator--c73a7441-1444-42a9-974d-3f3e64168bcc",
"indicator--642cf927-5c24-4846-b8a7-5b895c87594f",
"indicator--c7b0b3ec-3c74-4329-abc4-0d4414228f90",
"indicator--76f29c1c-c880-4baa-be5a-cecf57c18d38",
"indicator--12ee2578-f80b-4db9-b7c5-75c5f05215f2",
"indicator--ef28ce31-93a2-48a8-8ed8-b56b8caf60a7",
"indicator--d11dc00d-249a-4b44-a70d-8d1912c6b012",
"indicator--b78852fc-95f7-4ec5-a7ed-e001320e19b4",
"indicator--9df4fc8c-7277-4488-9f3b-ff2a0f51aa66",
"indicator--b79a5423-1769-4be7-a580-909c99a08598",
"indicator--17e7dce5-405d-4cf1-8d2f-9f3de6653c75",
"indicator--95be007c-e7a2-45a6-a1ff-d0f334e662da",
"indicator--40e78b71-1425-4450-aa39-08ecaa30f0df"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"estimative-language:confidence-in-analytic-judgment=\"high\"",
"estimative-language:likelihood-probability=\"almost-certain\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:07:36.000Z",
"modified": "2021-04-21T08:07:36.000Z",
"first_observed": "2021-04-21T08:07:36Z",
"last_observed": "2021-04-21T08:07:36Z",
"number_observed": 1,
"object_refs": [
"url--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5b5a9d8a-fd3d-4a40-8158-c00f07b5cf04",
"value": "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5cb95524-3fef-4334-9fef-e6d3f00982a4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:12:08.000Z",
"modified": "2021-04-21T08:12:08.000Z",
"first_observed": "2021-04-21T08:12:08Z",
"last_observed": "2021-04-21T08:12:08Z",
"number_observed": 1,
"object_refs": [
"url--5cb95524-3fef-4334-9fef-e6d3f00982a4"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5cb95524-3fef-4334-9fef-e6d3f00982a4",
"value": "https://www.circl.lu/pub/tr-63"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d584973b-e85b-431b-a2f2-c3cd33562245",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T09:01:21.000Z",
"modified": "2021-04-21T09:01:21.000Z",
"pattern": "[alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:\"APT.Webshell.PL.PULSECHECK callback\"; flow:to_server; content:\"POST \"; depth:5; content:\" HTTP/1.1|0d 0a|\"; distance:1; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; reference:mal_hash, a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1; reference:date_created,2021-04-16; sid:999999999; )]",
"pattern_type": "snort",
"valid_from": "2021-04-21T09:01:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--55301c17-7b0e-450d-89be-54eb3f096592",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T09:01:21.000Z",
"modified": "2021-04-21T09:01:21.000Z",
"pattern": "[alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.PULSECHECK.[X-CMD:]\"; content:\"POST \"; depth:5; content:\"|0d 0a|X-CMD: \"; nocase; fast_pattern; content:\"|0d 0a|X-CNT: \"; nocase; content:\"|0d 0a|X-KEY: \"; nocase; content:!\"|0d 0a|Referer: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; sid: 999999999; )]",
"pattern_type": "snort",
"valid_from": "2021-04-21T09:01:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e8e292e5-5fab-4e5b-afa0-89df4eb361d6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T09:01:21.000Z",
"modified": "2021-04-21T09:01:21.000Z",
"pattern": "[alert tcp any $HTTP_PORTS -> any any ( msg:\"APT.Webshell.PL.STEADYPULSE.[<form action=]\"; flow:to_client; content:\"<form action=\\\"\\\" method=\\\"GET\\\">\"; content:\"<input type=\\\"text\\\" name=\\\"cmd\\\" \"; distance:0; content:\"<input type=\\\"text\\\" name=\\\"serverid\\\" \"; distance:0; fast_pattern; content:\"<input type=\\\"submit\\\" value=\\\"Run\\\">\"; distance:0; pcre:\"/<\\/form>\\s{0,512}<pre>/R\"; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; reference:date_created,2021-04-16; sid: 999999999; )]",
"pattern_type": "snort",
"valid_from": "2021-04-21T09:01:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4ad4982e-87bf-4edc-915b-4ad84f3b13eb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T09:01:21.000Z",
"modified": "2021-04-21T09:01:21.000Z",
"pattern": "[alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.STEADYPULSE.[<form action=]\"; content:\"<form action=\\\"\\\" method=\\\"GET\\\">\"; content:\"<input type=\\\"text\\\" name=\\\"cmd\\\" \"; distance:0; fast_pattern; content:\"<input type=\\\"text\\\" name=\\\"serverid\\\" \"; distance:0; content:\"<input type=\\\"submit\\\" value=\\\"Run\\\">\"; distance:0; content:!\"|0d 0a|Referer: \"; content:!\"|0d 0a|User-Agent: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; sid: 999999999; )]",
"pattern_type": "snort",
"valid_from": "2021-04-21T09:01:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2b0bd4a3-3f4a-4e9a-b330-52a196385fc0",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T09:01:21.000Z",
"modified": "2021-04-21T09:01:21.000Z",
"pattern": "[alert tcp any any -> any any ( msg:\"APT.Webshell.HTTP.STEADYPULSE.[Results of]\"; content:\"|0d 0a|Results of '\"; content:\"' execution:|0a 0a|\"; distance:1; within:256; fast_pattern; content:!\"|0d 0a|Referer: \"; content:!\"|0d 0a|User-Agent: \"; content:!\"fast_pattern\"; threshold:type limit,track by_src,count 1,seconds 3600; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; sid: 999999999; )]",
"pattern_type": "snort",
"valid_from": "2021-04-21T09:01:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--baccb07a-3ac5-4a08-89d0-5c02114ad60b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T09:01:21.000Z",
"modified": "2021-04-21T09:01:21.000Z",
"pattern": "[alert tcp any $HTTP_PORTS -> any any ( msg:\"APT.Webshell.PL.STEADYPULSE. .[Results of]\"; flow:to_client; content:\"Results of '\"; content:\"' execution:|0a 0a|\"; distance:1; within:256; reference:mal_hash, 168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc; reference:date_created,2021-04-16; sid: 999999999; fast_pattern; )]",
"pattern_type": "snort",
"valid_from": "2021-04-21T09:01:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"snort\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--57ffce5f-60a8-40ae-b11e-624ca218704d",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:08:50.000Z",
"modified": "2021-04-21T08:08:50.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html",
"category": "External analysis",
"uuid": "4fa4a70a-3aff-4432-ac42-9409399e196d"
},
{
"type": "text",
"object_relation": "summary",
"value": "Mandiant recently responded to multiple security incidents involving compromises of Pulse Secure VPN appliances.\r\n This blog post examines multiple, related techniques for bypassing single and multifactor authentication on Pulse Secure VPN devices, persisting across upgrades, and maintaining access through webshells.\r\n The investigation by Pulse Secure has determined that a combination of prior vulnerabilities and a previously unknown vulnerability discovered in April 2021, CVE-2021-22893, are responsible for the initial infection vector.\r\n Pulse Secure\u2019s parent company, Ivanti, released mitigations for a vulnerability exploited in relation to these malware families and the Pulse Connect Secure Integrity Tool for their customers to determine if their systems are impacted. A final patch to address the vulnerability will be available in early May 2021.\r\n Pulse Secure has been working closely with Mandiant, affected customers, government partners, and other forensic experts to address these issues.\r\n There is no indication the identified backdoors were introduced through a supply chain compromise of the company\u2019s network or software deployment process.",
"category": "Other",
"uuid": "eebfc2b8-6467-4cdd-8a31-041708d20a55"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6854614c-df9f-4bb5-8de0-857c943be550",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:15:06.000Z",
"modified": "2021-04-21T08:15:06.000Z",
"description": "SLOWPULSE V1 - libdsplibs.so ",
"pattern": "[file:hashes.MD5 = '23ff4df644aa408d6a074eb8fa9f0da3' AND file:hashes.SHA256 = 'cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:15:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--874ca0e5-827e-43f8-99f5-a2a5aa60e672",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:17:02.000Z",
"modified": "2021-04-21T08:17:02.000Z",
"description": "SLOWPULSE V2 \r\nlibdsplibs.so ",
"pattern": "[file:hashes.MD5 = '8bf3ebe60f393f4c2fe0bbeb4976fc46' AND file:hashes.SHA256 = '1ab50b77dd9515f6cd9ed07d1d3176ba4627a292dc4a21b16ac9d211353818bd' AND file:name = 'libdsplibs.so']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:17:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cd13cfd7-f4dc-4864-9009-30baa29551a6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:17:49.000Z",
"modified": "2021-04-21T08:17:49.000Z",
"description": "SLOWPULSE V3 \r\nlibdsplibs.so ",
"pattern": "[file:hashes.MD5 = '8f5d87592f68d8350656f722f6f21e10' AND file:hashes.SHA256 = 'b1c2368773259fbfef425e0bb716be958faa7e74b3282138059f511011d3afd9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:17:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1d87313f-7519-4748-bfb1-fc8b60906cf6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:19:22.000Z",
"modified": "2021-04-21T08:19:22.000Z",
"description": "SLOWPULSE V2 Patcher \r\nunknown ",
"pattern": "[file:hashes.MD5 = '32a9bc24c6670a3cf880a8c0c9e9dfaf' AND file:hashes.SHA256 = 'c9b323b9747659eac25cec078895d75f016e26a8b5858567c7fb945b7321722c']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:19:22Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0b65ad47-db4b-4f58-a33c-e671746afa05",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:20:00.000Z",
"modified": "2021-04-21T08:20:00.000Z",
"description": "SLOWPULSE V3 Patcher \r\nunknown ",
"pattern": "[file:hashes.MD5 = '6272aa2f8f47e2a63f138d81e69fdba7' AND file:hashes.SHA256 = '06c56bd272b19bf7d7207443693cd1fc774408c4ca56744577b11fee550c23f7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:20:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c9a0062-ee55-43b0-ad64-3c5f6fdf3d01",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:20:45.000Z",
"modified": "2021-04-21T08:20:45.000Z",
"description": "SLOWPULSE V4 Patcher \r\nunknown ",
"pattern": "[file:hashes.MD5 = 'beff02edb0f6a7c2b341aa780e88a48c' AND file:hashes.SHA256 = 'e63ab6f82c711e4ecc8f5b36046eb7ea216f41eb90158165b82a6c90560ea415']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:20:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--efd7b1ec-0fff-498a-ad64-d1d259ebbf82",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:21:24.000Z",
"modified": "2021-04-21T08:21:24.000Z",
"description": "SLOWPULSE V4 UnPatcher \r\nunknown ",
"pattern": "[file:hashes.MD5 = 'ece3e2a6b6e3531b50cc74c7f87cdc8d' AND file:hashes.SHA256 = 'b2350954b9484ae4eac42b95fae6edf7a126169d0b93d79f49d36c5e6497062a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:21:24Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--35ae369e-4ab2-447c-819c-c366f547ca9c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:22:02.000Z",
"modified": "2021-04-21T08:22:02.000Z",
"description": "PULSECHECK \r\nsecid_canceltoken.cgi",
"pattern": "[file:hashes.MD5 = '33c4947efe66ce8c175464b4e262fe16' AND file:hashes.SHA256 = 'a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:22:02Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5f99e163-f31e-4994-8a56-4b249d894012",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:22:48.000Z",
"modified": "2021-04-21T08:22:48.000Z",
"description": "PULSECHECK \r\nCompcheckjs.cgi ",
"pattern": "[file:hashes.MD5 = '9aa378cbec161ccd168be212c8856749' AND file:hashes.SHA256 = '6f4dec58548f5193b5e511ecc3c63154ae3c93f9345661a774cb69a1ce16c577']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:22:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0690ab34-3ffe-4d37-b6a7-4ce477d4de60",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:23:37.000Z",
"modified": "2021-04-21T08:23:37.000Z",
"description": "RADIALPULSE \r\napac_login.cgiunknown \r\n",
"pattern": "[file:hashes.MD5 = '1cd91b74f8d2d2fe952a97e9040073d8' AND file:hashes.SHA256 = 'd72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:23:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--30408119-108d-495f-89ca-cbe1dcf0b68b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:24:18.000Z",
"modified": "2021-04-21T08:24:18.000Z",
"description": "RADIALPULSE \r\nbasicauth_userpass.cgi ",
"pattern": "[file:hashes.MD5 = '4a2a7cbc1c8855199a27a7a7b51d0117' AND file:hashes.SHA256 = '293cc71af317593e0e5d9f8c6fd7a732977c63174becc8dedadf8f8f4cc9c922']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:24:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c0b88e1a-d76c-4226-bffa-45ca59bc2fa9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:25:06.000Z",
"modified": "2021-04-21T08:25:06.000Z",
"description": "RADIALPULSE \r\ndswebserver.sh ",
"pattern": "[file:hashes.MD5 = '4d416e551821ccce8bc9c4457d10573b' AND file:hashes.SHA256 = 'b72fdae94e78fe51205966179573693c01eae98ece228af13041855cc4e255b1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:25:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--dbab04b4-1df0-4055-be1a-2ad6d47b15de",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:25:48.000Z",
"modified": "2021-04-21T08:25:48.000Z",
"description": "RADIALPULSE \r\nunknown \r\n",
"pattern": "[file:hashes.MD5 = '558090216cf8199802f11da4f70db897' AND file:hashes.SHA256 = 'dea123cd0a48f01ef9176946f11e4b2b23218018ebcea7ff08d552f88906c52d']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:25:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5279454c-137c-4df2-ab40-d4f67be95f40",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:26:26.000Z",
"modified": "2021-04-21T08:26:26.000Z",
"description": "RADIALPULSE \r\nlogin.cgi ",
"pattern": "[file:hashes.MD5 = '56e2a1566c7989612320f4ef1669e7d5' AND file:hashes.SHA256 = 'e9df4e13131c95c75ca41a95e08599b3d480e5e7a7922ff0a3fa00bef3bd6561']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:26:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--61f23a4d-8a5f-4a4c-b846-4f87797fbb1a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:27:19.000Z",
"modified": "2021-04-21T08:27:19.000Z",
"description": "RADIALPULSE \r\nlogin.cgi ",
"pattern": "[file:hashes.MD5 = '6c63b5c747e8e351426777b7de94da7c' AND file:hashes.SHA256 = '61f9f6ae26bd3f4d6632bcc722022079aab1ef1d3ddeb71f0f7db2f14aed4ce4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:27:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--44e27409-7862-42be-bf2b-4d18fa27243f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:29:10.000Z",
"modified": "2021-04-21T08:29:10.000Z",
"description": "RADIALPULSE \r\nrd.cgi ",
"pattern": "[file:hashes.MD5 = '957ca40755de8f1f68602476a62799f9' AND file:hashes.SHA256 = 'b482dc4d07e0c11d047c25af3bd239b9c57eaa8648cebf639369ec143297b96a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:29:10Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3347af09-6558-4e07-ac68-c7abe87079b9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:29:54.000Z",
"modified": "2021-04-21T08:29:54.000Z",
"description": "RADIALPULSE \r\nuserpass.cgi ",
"pattern": "[file:hashes.MD5 = 'd21705be48b4b38a66e731f6d4125708' AND file:hashes.SHA256 = 'd61d98a3a68a5a35d49c5c7a43d11d3e22bdb7d26bffb6f5aded83c07c90633a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:29:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ec665abd-0414-4647-b4cd-9fa22e979ab8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:32:21.000Z",
"modified": "2021-04-21T08:32:21.000Z",
"description": "PACEMAKER \r\nmemread \r\n",
"pattern": "[file:hashes.MD5 = 'd7881c4de4d57828f7e1cab15687274b' AND file:hashes.SHA256 = '68743e17f393d1f85ee937dffacc91e081b5f6f43477111ac96aa9d44826e4d2']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:32:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--3e50f8b8-0dbc-4bec-80de-30e325671f95",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:34:27.000Z",
"modified": "2021-04-21T08:34:27.000Z",
"description": "PACEMAKER Launcher Utility \r\nunknown\r\n",
"pattern": "[file:hashes.MD5 = '4cb9bb1cdc1931c738843f7dfe63f5c4' AND file:hashes.SHA256 = '4c5555955b2e6dc55f52b0c1a3326f3d07b325b112060329c503b294208960ec']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:34:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--2620c50d-6305-45cb-8aff-e37d50425358",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:35:12.000Z",
"modified": "2021-04-21T08:35:12.000Z",
"description": "THINBLOOD \r\ndsclslog ",
"pattern": "[file:hashes.MD5 = 'f38fe97c2a7419e62ce72439bdbb85b5' AND file:hashes.SHA256 = '88170125598a4fb801102ad56494a773895059ac8550a983fdd2ef429653f079']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:35:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cfaa4938-1778-45cd-b95a-61be8ba0837e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:36:11.000Z",
"modified": "2021-04-21T08:36:11.000Z",
"description": "THINBLOOD Variant \r\nclear_log.sh ",
"pattern": "[file:hashes.MD5 = 'ecbd062c45d5fd38bb7f58289a8f5c86' AND file:hashes.SHA256 = '1741dc0a491fcc8d078220ac9628152668d3370b92a8eae258e34ba28c6473b9']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:36:11Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--0da707a9-b329-4d30-b907-01fe6c1de17c",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:36:48.000Z",
"modified": "2021-04-21T08:36:48.000Z",
"description": "SLIGHTPULSE \r\nmeeting_testjs.cgi ",
"pattern": "[file:hashes.MD5 = '57df2d9468b66d7585f79b12d4249f22' AND file:hashes.SHA256 = '133631957d41eed9496ac2774793283ce26f8772de226e7f520d26667b51481a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:36:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--df51083d-32e2-4812-89bb-f7036472920e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:37:33.000Z",
"modified": "2021-04-21T08:37:33.000Z",
"description": "ATRIUM \r\ncompcheckresult.cgi ",
"pattern": "[file:hashes.MD5 = 'ca0175d86049fa7c796ea06b413857a3' AND file:hashes.SHA256 = 'f2b1bd703c3eb05541ff84ec375573cbdc70309ccb82aac04b72db205d718e90']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:37:33Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5151611d-c11d-47cf-9a9c-5ef132b1a303",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:38:13.000Z",
"modified": "2021-04-21T08:38:13.000Z",
"description": "ATRIUM \r\ndo-install ",
"pattern": "[file:hashes.MD5 = 'a631b7a8a11e6df3fccb21f4d34dbd8a' AND file:hashes.SHA256 = '2202234643bcd4807f21fbe4eb9ef3be9a6857ef92fd5979abb2b97b3c113966']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:38:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--298449a1-8e86-409c-96fb-0c225d9f98a9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:39:25.000Z",
"modified": "2021-04-21T08:39:25.000Z",
"description": "Persistence Patcher (ATRIUM)\r\nDSUpgrade.pm ",
"pattern": "[file:hashes.MD5 = 'd2ef3894c6e46453b7d9416ff0d4d6cc' AND file:hashes.SHA256 = '224b7c45cf6fe4547d3ea66a12c30f3cb4c601b0a80744154697094e73dbd450']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:39:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--cf564f32-56e9-4fe0-87ac-5e5df91b0c9f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:40:31.000Z",
"modified": "2021-04-21T08:40:31.000Z",
"description": "Persistence Patcher (ATRIUM)\r\nDSUpgrade.pm ",
"pattern": "[file:hashes.MD5 = 'd855ebd2adeaf2b3c87b28e77e9ce4d4' AND file:hashes.SHA256 = 'a3b60b4bc4a5c7af525491ba37b570f90405aa83e36655da7d91bd68acaedf85']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:40:31Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bbcc14ea-c7fc-4b15-a020-b619641add7e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:41:23.000Z",
"modified": "2021-04-21T08:41:23.000Z",
"description": "Persistence Patcher (STEADYPULSE)\r\nDSUpgrade.pm",
"pattern": "[file:hashes.MD5 = '5009b307214abc4ba5e24fa99133b934' AND file:hashes.SHA256 = '64c87520565165ac95b74d6450b3ab8379544933dd3e2f2c4dc9b03a3ec570a7']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:41:23Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--60b5f9a7-ffa3-4d56-a1a7-6642638be3e6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:42:01.000Z",
"modified": "2021-04-21T08:42:01.000Z",
"description": "Persistence Patcher (PULSECHECK)\r\nDSUpgrade.pm",
"pattern": "[file:hashes.MD5 = 'de9184422b477ca3b6aae536979e8626' AND file:hashes.SHA256 = '705cda7d1ace8f4adeec5502aa311620b8d6c64046a1aed2ae833e2f2835154f']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:42:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--04323a10-ee75-43ae-9150-001fe9a27ab7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:42:56.000Z",
"modified": "2021-04-21T08:42:56.000Z",
"description": "Persistence Patcher (UNKNOWN)\r\nDSUpgrade.pm",
"pattern": "[file:hashes.MD5 = '22cc57df424cac79f5bf78109a443523' AND file:hashes.SHA256 = '78d7c7c9f800f6824f63a99d935a4ad0112f97953d8c100deb29dae24d7da282']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:42:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bbdbb662-a8b1-4c13-85f2-898abde6d3f9",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:43:34.000Z",
"modified": "2021-04-21T08:43:34.000Z",
"description": "LOCKPICK \r\nlibcrypto.so ",
"pattern": "[file:hashes.MD5 = 'e8bfd3f5a2806104316902bbe1195ee8' AND file:hashes.SHA256 = '2610d0372e0e107053bc001d278ef71f08562e5610691f18b978123c499a74d8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:43:34Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b4a44973-985c-4058-b968-9cd867f1bef6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:44:13.000Z",
"modified": "2021-04-21T08:44:13.000Z",
"description": "LOCKPICK Patcher\r\nunknown",
"pattern": "[file:hashes.MD5 = '0ac5571f69a1cb17110d7c5af772a5eb' AND file:hashes.SHA256 = 'b990f79ce80c24625c97810cb8f161eafdcb10f1b8d9d538df4ca9be387c35e4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:44:13Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ca389b0d-fbe4-42bc-96e3-56b5f4886c9b",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:44:58.000Z",
"modified": "2021-04-21T08:44:58.000Z",
"description": "HARDPULSE \r\ncompcheckjava.cgi",
"pattern": "[file:hashes.MD5 = '980cba9e82faf194edb6f3cc20dc73ff' AND file:hashes.SHA256 = '1d3ab04e21cfd40aa8d4300a359a09e3b520d39b1496be1e4bc91ae1f6730ecc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:44:58Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--34384af6-0071-435b-84c1-bf8c3420cd08",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:45:48.000Z",
"modified": "2021-04-21T08:45:48.000Z",
"description": "PULSEJUMP \r\nunknown ",
"pattern": "[file:hashes.MD5 = '91ee23ee24e100ba4a943bb4c15adb4c' AND file:hashes.SHA256 = '7fa71a7f76ef63465cfeacf58217e0b66fc71bc81d37c44380a6f572b8a3ec7a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:45:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1fc8066f-98aa-4e70-b4ee-0710931cdac7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:46:29.000Z",
"modified": "2021-04-21T08:46:29.000Z",
"description": "QUIETPULSE \r\ndsserver ",
"pattern": "[file:hashes.MD5 = '00575bec8d74e221ff6248228c509a16' AND file:hashes.SHA256 = '9f6ac39707822d243445e30d27b8404466aa69c61119d5308785bf4a464a9ebd']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:46:29Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--447d890e-3529-486e-b4f8-704b813d745f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:47:44.000Z",
"modified": "2021-04-21T08:47:44.000Z",
"description": "QUIETPULSE \r\ndshelper ",
"pattern": "[file:hashes.MD5 = '82e77d7ad4d39ed71981a3ddca4ff225' AND file:hashes.SHA256 = 'c774eca633136de35c9d2cd339a3b5d29f00f761657ea2aa438de4f33e4bbba4']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:47:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7bd70c6d-d345-45f3-a8ac-00e4a2149cea",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:48:25.000Z",
"modified": "2021-04-21T08:48:25.000Z",
"description": "STEADYPULSE \r\nlicenseserverproto.cgi ",
"pattern": "[file:hashes.MD5 = 'fb21828f490561810c205241b367095e' AND file:hashes.SHA256 = '168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2021-04-21T08:48:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--8f5eaca0-34a1-4e85-b6b3-8082bce62175",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:49:54.000Z",
"modified": "2021-04-21T08:49:54.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_Webshell_PL_ATRIUM_1\r\n{\r\n meta:\r\n author = \\\\\"Mandiant\\\\\"\r\n date_created = \\\\\"2021-04-16\\\\\"\r\n md5 = \\\\\"ca0175d86049fa7c796ea06b413857a3\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings:\r\n $s1 = \\\\\"CGI::param(\\\\\"\r\n $s2 = \\\\\"system(\\\\\"\r\n $s3 = /if[\\\\x09\\\\x20]{0,32}\\\\(CGI::param\\\\([\\\\x22\\\\x27]\\\\w{1,64}[\\\\x22\\\\x27]\\\\)\\\\)\\\\s{0,128}\\\\{[\\\\x09\\\\x20]{0,32}print [\\\\x22\\\\x27]Cache-Control: no-cache\\\\\\\\n[\\\\x22\\\\x27][\\\\x09\\\\x20]{0,32};\\\\s{0,128}print [\\\\x22\\\\x27]Content-type: text\\\\/html\\\\\\\\n\\\\\\\\n[\\\\x22\\\\x27][\\\\x09\\\\x20]{0,32};\\\\s{0,128}my \\\\$\\\\w{1,64}[\\\\x09\\\\x20]{0,32}=[\\\\x09\\\\x20]{0,32}CGI::param\\\\([\\\\x22\\\\x27]\\\\w{1,64}[\\\\x22\\\\x27]\\\\)[\\\\x09\\\\x20]{0,32};\\\\s{0,128}system\\\\([\\\\x22\\\\x27]\\\\$/\r\n condition:\r\n all of them\r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:49:54Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4f5204e2-efbe-4200-8f2c-bc6ebbb952da",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:50:30.000Z",
"modified": "2021-04-21T08:50:30.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_Trojan_SH_ATRIUM_1\r\n{\r\n meta:\r\n author = \\\\\"Mandiant\\\\\"\r\n date_created = \\\\\"2021-04-16\\\\\"\r\n md5 = \\\\\"a631b7a8a11e6df3fccb21f4d34dbd8a\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings:\r\n $s1 = \\\\\"CGI::param(\\\\\"\r\n $s2 = \\\\\"Cache-Control: no-cache\\\\\"\r\n $s3 = \\\\\"system(\\\\\"\r\n $s4 = /sed -i [^\\\\r\\\\n]{1,128}CGI::param\\\\([^\\\\r\\\\n]{1,128}print[\\\\x20\\\\x09]{1,32}[^\\\\r\\\\n]{1,128}Cache-Control: no-cache[^\\\\r\\\\n]{1,128}print[\\\\x20\\\\x09]{1,32}[^\\\\r\\\\n]{1,128}Content-type: text\\\\/html[^\\\\r\\\\n]{1,128}my [^\\\\r\\\\n]{1,128}=[\\\\x09\\\\x20]{0,32}CGI::param\\\\([^\\\\r\\\\n]{1,128}system\\\\(/\r\n condition:\r\n all of them\r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:50:30Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c73a7441-1444-42a9-974d-3f3e64168bcc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:51:03.000Z",
"modified": "2021-04-21T08:51:03.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_HARDPULSE \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"980cba9e82faf194edb6f3cc20dc73ff\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $r1 = /if[\\\\x09\\\\x20]{0,32}\\\\(\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{1,32}eq[\\\\x09\\\\x20]{1,32}[\\\\x22\\\\x27]\\\\w{1,64}[\\\\x22\\\\x27]\\\\)\\\\s{0,128}\\\\{\\\\s{1,128}my[\\\\x09\\\\x20]{1,32}\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{0,32}\\\\x3b\\\\s{1,128}unless[\\\\x09\\\\x20]{0,32}\\\\(open\\\\(\\\\$\\\\w{1,64},[\\\\x09\\\\x20]{0,32}\\\\$\\\\w{1,64}\\\\)\\\\)\\\\s{0,128}\\\\{\\\\s{1,128}goto[\\\\x09\\\\x20]{1,32}\\\\w{1,64}[\\\\x09\\\\x20]{0,32}\\\\x3b\\\\s{1,128}return[\\\\x09\\\\x20]{1,32}0[\\\\x09\\\\x20]{0,32}\\\\x3b\\\\s{0,128}\\\\}/ \r\n $r2 = /open[\\\\x09\\\\x20]{0,32}\\\\(\\\\*\\\\w{1,64}[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>/ \r\n $r3 = /if[\\\\x09\\\\x20]{0,32}\\\\(\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{1,32}eq[\\\\x09\\\\x20]{1,32}[\\\\x22\\\\x27]\\\\w{1,64}[\\\\x22\\\\x27]\\\\)\\\\s{0,128}\\\\{\\\\s{1,128}print[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]Content-type/ \r\n $s1 = \\\\\"CGI::request_method()\\\\\" \r\n $s2 = \\\\\"CGI::param(\\\\\" \r\n $s3 = \\\\\"syswrite(\\\\\" \r\n $s4 = \\\\\"print $_\\\\\" \r\n condition: \r\n all of them \r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:51:03Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--642cf927-5c24-4846-b8a7-5b895c87594f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:51:36.000Z",
"modified": "2021-04-21T08:51:36.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux32_LOCKPICK_1\r\n{\r\n meta:\r\n author = \\\\\"Mandiant\\\\\"\r\n date_created = \\\\\"2021-04-16\\\\\"\r\n md5 = \\\\\"e8bfd3f5a2806104316902bbe1195ee8\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings:\r\n $sb1 = { 83 ?? 63 0F 84 [4] 8B 45 ?? 83 ?? 01 89 ?? 24 89 44 24 04 E8 [4] 85 C0 }\r\n $sb2 = { 83 [2] 63 74 ?? 89 ?? 24 04 89 ?? 24 E8 [4] 83 [2] 01 85 C0 0F [5] EB 00 8B ?? 04 83 F8 02 7? ?? 83 E8 01 C1 E0 02 83 C0 00 89 44 24 08 8D 83 [4] 89 44 24 04 8B ?? 89 04 24 E8 }\r\n condition:\r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and (@sb1[1] < @sb2[1])\r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:51:36Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--c7b0b3ec-3c74-4329-abc4-0d4414228f90",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:52:09.000Z",
"modified": "2021-04-21T08:52:09.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux32_PACEMAKER \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"d7881c4de4d57828f7e1cab15687274b\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $s1 = \\\\\"\\\\x00/proc/\\\\%d/mem\\\\x00\\\\\" \r\n $s2 = \\\\\"\\\\x00/proc/\\\\%s/maps\\\\x00\\\\\" \r\n $s3 = \\\\\"\\\\x00/proc/\\\\%s/cmdline\\\\x00\\\\\" \r\n $sb1 = { C7 44 24 08 10 00 00 00 C7 44 24 04 00 00 00 00 8D 45 E0 89 04 24 E8 [4] 8B 45 F4 83 C0 0B C7 44 24 08 10 00 00 00 89 44 24 04 8D 45 E0 89 04 24 E8 [4] 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] EB } \r\n $sb2 = { 8B 95 [4] B8 [4] 8D 8D [4] 89 4C 24 10 8D 8D [4] 89 4C 24 0C 89 54 24 08 89 44 24 04 8D 85 [4] 89 04 24 E8 [4] C7 44 24 08 02 00 00 00 C7 44 24 04 00 00 00 00 8B 45 ?? 89 04 24 E8 [4] 89 45 ?? 8D 85 [4] 89 04 24 E8 [4] 89 44 24 08 8D 85 [4] 89 44 24 04 8B 45 ?? 89 04 24 E8 [4] 8B 45 ?? 89 45 ?? C7 45 ?? 00 00 00 00 [0-16] 83 45 ?? 01 8B 45 ?? 3B 45 0C } \r\n condition: \r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them \r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:52:09Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--76f29c1c-c880-4baa-be5a-cecf57c18d38",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:52:37.000Z",
"modified": "2021-04-21T08:52:37.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_Linux_PACEMAKER \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"d7881c4de4d57828f7e1cab15687274b\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $s1 = \\\\\"\\\\x00Name:\\\\%s || Pwd:\\\\%s || AuthNum:\\\\%s\\\\x0a\\\\x00\\\\\" \r\n $s2 = \\\\\"\\\\x00/proc/\\\\%d/mem\\\\x00\\\\\" \r\n $s3 = \\\\\"\\\\x00/proc/\\\\%s/maps\\\\x00\\\\\" \r\n $s4 = \\\\\"\\\\x00/proc/\\\\%s/cmdline\\\\x00\\\\\" \r\n condition: \r\n (uint32(0) == 0x464c457f) and all of them \r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:52:37Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--12ee2578-f80b-4db9-b7c5-75c5f05215f2",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:53:06.000Z",
"modified": "2021-04-21T08:53:06.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_PULSECHECK_1 \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n sha256 = \\\\\"a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $r1 = /while[\\\\x09\\\\x20]{0,32}\\\\(<\\\\w{1,64}>\\\\)[\\\\x09\\\\x20]{0,32}\\\\{\\\\s{1,256}\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{0,32}\\\\.=[\\\\x09\\\\x20]{0,32}\\\\$_;\\\\s{0,256}\\\\}/ \r\n $s1 = \\\\\"use Crypt::RC4;\\\\\" \r\n $s2 = \\\\\"use MIME::Base64\\\\\" \r\n $s3 = \\\\\"MIME::Base64::decode(\\\\\" \r\n $s4 = \\\\\"popen(\\\\\" \r\n $s5 = \\\\\" .= $_;\\\\\" \r\n $s6 = \\\\\"print MIME::Base64::encode(RC4(\\\\\" \r\n $s7 = \\\\\"HTTP_X_\\\\\" \r\n condition: \r\n $s1 and $s2 and (@s3[1] < @s4[1]) and (@s4[1] < @s5[1]) and (@s5[1] < @s6[1]) and (#s7 > 2) and $r1 \r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:53:06Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--ef28ce31-93a2-48a8-8ed8-b56b8caf60a7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:53:49.000Z",
"modified": "2021-04-21T08:53:49.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_PULSEJUMP_1\r\n{\r\n meta:\r\n author = \\\\\"Mandiant\\\\\"\r\n date_created = \\\\\"2021-04-16\\\\\"\r\n md5 = \\\\\"91ee23ee24e100ba4a943bb4c15adb4c\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings:\r\n $s1 = \\\\\"open(\\\\\"\r\n $s2 = \\\\\">>/tmp/\\\\\"\r\n $s3 = \\\\\"syswrite(\\\\\"\r\n $s4 = /\\\\}[\\\\x09\\\\x20]{0,32}elsif[\\\\x09\\\\x20]{0,32}\\\\([\\\\x09\\\\x20]{0,32}\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{1,32}eq[\\\\x09\\\\x20]{1,32}[\\\\x22\\\\x27](Radius|Samba|AD)[\\\\x22\\\\x27][\\\\x09\\\\x20]{0,32}\\\\)\\\\s{0,128}\\\\{\\\\s{0,128}@\\\\w{1,64}[\\\\x09\\\\x20]{0,32}=[\\\\x09\\\\x20]{0,32}&/\r\n condition:\r\n all of them\r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:53:49Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d11dc00d-249a-4b44-a70d-8d1912c6b012",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:54:19.000Z",
"modified": "2021-04-21T08:54:19.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_QUIETPULSE \r\n{\r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"00575bec8d74e221ff6248228c509a16\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $s1 = /open[\\\\x09\\\\x20]{0,32}\\\\(\\\\*STDOUT[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>&CLIENT[\\\\x22\\\\x27]\\\\)/ \r\n $s2 = /open[\\\\x09\\\\x20]{0,32}\\\\(\\\\*STDERR[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>&CLIENT[\\\\x22\\\\x27]\\\\)/ \r\n $s3 = /socket[\\\\x09\\\\x20]{0,32}\\\\(SERVER[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}PF_UNIX[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}SOCK_STREAM[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}0[\\\\x09\\\\x20]{0,32}\\\\)[\\\\x09\\\\x20]{0,32};\\\\s{0,128}unlink/ \r\n $s4 = /bind[\\\\x09\\\\x20]{0,32}\\\\([\\\\x09\\\\x20]{0,32}SERVER[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}sockaddr_un\\\\(/ \r\n $s5 = /listen[\\\\x09\\\\x20]{0,32}\\\\([\\\\x09\\\\x20]{0,32}SERVER[\\\\x09\\\\x20]{0,32},[\\\\x09\\\\x20]{0,32}SOMAXCONN[\\\\x09\\\\x20]{0,32}\\\\)[\\\\x09\\\\x20]{0,32};/ \r\n $s6 = /my[\\\\x09\\\\x20]{1,32}\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{0,32}=[\\\\x09\\\\x20]{0,32}fork\\\\([\\\\x09\\\\x20]{0,32}\\\\)[\\\\x09\\\\x20]{0,32};\\\\s{1,128}if[\\\\x09\\\\x20]{0,32}\\\\([\\\\x09\\\\x20]{0,32}\\\\$\\\\w{1,64}[\\\\x09\\\\x20]{0,32}==[\\\\x09\\\\x20]{0,32}0[\\\\x09\\\\x20]{0,32}\\\\)[\\\\x09\\\\x20]{0,32}\\\\{\\\\s{1,128}exec\\\\(/ \r\n condition: \r\n all of them \r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:54:19Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b78852fc-95f7-4ec5-a7ed-e001320e19b4",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:54:52.000Z",
"modified": "2021-04-21T08:54:52.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_1 \r\n{\r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n sha256 = \\\\\"d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\" \r\n strings: \r\n $s1 = \\\\\"->getRealmInfo()->{name}\\\\\" \r\n $s2 = /open\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>>/ \r\n $s3 = /syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]realm=\\\\$/ \r\n $s4 = /syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]username=\\\\$/ \r\n $s5 = /syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]password=\\\\$/ \r\n condition: \r\n (@s1[1] < @s2[1]) and (@s2[1] < @s3[1]) and $s4 and $s5 \r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:54:52Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--9df4fc8c-7277-4488-9f3b-ff2a0f51aa66",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:55:20.000Z",
"modified": "2021-04-21T08:55:20.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_2 \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"4a2a7cbc1c8855199a27a7a7b51d0117\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $s1 = \\\\\"open(*fd,\\\\\" \r\n $s2 = \\\\\"syswrite(*fd,\\\\\" \r\n $s3 = \\\\\"close(*fd);\\\\\" \r\n $s4 = /open\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>>\\\\/tmp\\\\/[\\\\w.]{1,128}[\\\\x22\\\\x27]\\\\);[\\\\x09\\\\x20]{0,32}syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}/ \r\n $s5 = /syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27][\\\\w]{1,128}=\\\\$\\\\w{1,128} ?[\\\\x22\\\\x27],[\\\\x09\\\\x20]{0,32}5000\\\\)/ \r\n condition: \r\n all of them \r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:55:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--b79a5423-1769-4be7-a580-909c99a08598",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:55:55.000Z",
"modified": "2021-04-21T08:55:55.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Trojan_PL_RADIALPULSE_3 \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n md5 = \\\\\"4a2a7cbc1c8855199a27a7a7b51d0117\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\"\r\n strings: \r\n $s1 = \\\\\"open(*fd,\\\\\" \r\n $s2 = \\\\\"syswrite(*fd,\\\\\" \r\n $s3 = \\\\\"close(*fd);\\\\\" \r\n $s4 = /open\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27]>>\\\\/tmp\\\\/dsstartssh\\\\.statementcounters[\\\\x22\\\\x27]\\\\);[\\\\x09\\\\x20]{0,32}syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}/ \r\n $s5 = /syswrite\\\\(\\\\*fd,[\\\\x09\\\\x20]{0,32}[\\\\x22\\\\x27][\\\\w]{1,128}=\\\\$username ?[\\\\x22\\\\x27],[\\\\x09\\\\x20]{0,32}\\\\d{4}\\\\)/ \r\n condition: \r\n all of them \r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:55:55Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--17e7dce5-405d-4cf1-8d2f-9f3de6653c75",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:56:27.000Z",
"modified": "2021-04-21T08:56:27.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Backdoor_Linux32_SLOWPULSE_1 \r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\"\r\n sha256 = \\\\\"cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\" \r\n strings: \r\n $sb1 = {FC b9 [4] e8 00 00 00 00 5? 8d b? [4] 8b} \r\n $sb2 = {f3 a6 0f 85 [4] b8 03 00 00 00 5? 5? 5?} \r\n $sb3 = {9c 60 e8 00 00 00 00 5? 8d [5] 85 ?? 0f 8?} \r\n $sb4 = {89 13 8b 51 04 89 53 04 8b 51 08 89 53 08} \r\n $sb5 = {8d [5] b9 [4] f3 a6 0f 8?} \r\n condition: \r\n ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them \r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:56:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--95be007c-e7a2-45a6-a1ff-d0f334e662da",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:56:57.000Z",
"modified": "2021-04-21T08:56:57.000Z",
"pattern": "rule FE_APT_Backdoor_Linux32_SLOWPULSE_2\r\n{ \r\n meta: \r\n author = \\\\\"Strozfriedberg\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\"\r\n sha256 = \\\\\"cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\" \r\n strings: \r\n $sig = /[\\\\x20-\\\\x7F]{16}([\\\\x20-\\\\x7F\\\\x00]+)\\\\x00.{1,32}\\\\xE9.{3}\\\\xFF\\\\x00+[\\\\x20-\\\\x7F][\\\\x20-\\\\x7F\\\\x00]{16}/ \r\n\r\n // TOI_MAGIC_STRING \r\n $exc1 = /\\\\xED\\\\xC3\\\\x02\\\\xE9\\\\x98\\\\x56\\\\xE5\\\\x0C/ \r\n condition:\r\n uint32(0) == 0x464C457F and (1 of ($sig*)) and (not (1 of ($exc*)))\r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:56:57Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--40e78b71-1425-4450-aa39-08ecaa30f0df",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2021-04-21T08:57:27.000Z",
"modified": "2021-04-21T08:57:27.000Z",
"pattern": "// Copyright 2021 by FireEye, Inc.\r\n// You may not use this file except in compliance with the license. The license should have been received with this file.\r\n\r\nrule FE_APT_Webshell_PL_STEADYPULSE_1\r\n{ \r\n meta: \r\n author = \\\\\"Mandiant\\\\\" \r\n date_created = \\\\\"2021-04-16\\\\\" \r\n sha256 = \\\\\"168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc\\\\\"\r\n reference_url = \\\\\"https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html\\\\\" \r\n strings: \r\n $s1 = \\\\\"parse_parameters\\\\\" \r\n $s2 = \\\\\"s/\\\\\\\\+/ /g\\\\\" \r\n $s3 = \\\\\"s/\\\\%(..)/pack(\\\\\" \r\n $s4 = \\\\\"MIME::Base64::encode($\\\\\" \r\n $s5 = \\\\\"$|=1;\\\\\" \r\n $s6 = \\\\\"RC4(\\\\\" \r\n $s7 = \\\\\"$FORM{\\'cmd\\'}\\\\\" \r\n condition: \r\n all of them \r\n}",
"pattern_type": "yara",
"valid_from": "2021-04-21T08:57:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "misc"
}
],
"labels": [
"misp:name=\"yara\"",
"misp:meta-category=\"misc\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}