1. Home
  2. Software
  3. PACEMAKER

PACEMAKER

PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against US Defense Industrial Base (DIB) companies.[1]

ID: S1109
Type: MALWARE
Platforms: Network, Linux
Version: 1.0
Created: 08 February 2024
Last Modified: 10 April 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

PACEMAKER can enter a loop to read /proc/ entries every 2 seconds in order to read a target application's memory.[1]
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

PACEMAKER can use a simple bash script for execution.[1]
Enterprise T1074 .001 Data Staged: Local Data Staging

PACEMAKER has written extracted data to tmp/dsserver-check.statementcounters.[1]
Enterprise T1083 File and Directory Discovery

PACEMAKER can parse /proc/"process_name"/cmdline to look for the string dswsd within the command line.[1]
Enterprise T1003 .007 OS Credential Dumping: Proc Filesystem

PACEMAKER has the ability to extract credentials from OS memory.[1]
Enterprise T1055 .008 Process Injection: Ptrace System Calls

PACEMAKER can use PTRACE to attach to a targeted process to read process memory.[1]

Groups That Use This Software

ID Name References
G1023 APT5

[1]

References

  1. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.