SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. SLOWPULSE has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.[1]

ID: S1104
Platforms: Network
Version: 1.0
Created: 06 February 2024
Last Modified: 08 February 2024

Techniques Used

Domain ID Name Use
Enterprise T1554 Compromise Host Software Binary

SLOWPULSE is applied in compromised environments through modifications to legitimate Pulse Secure files.[2]

Enterprise T1074 .001 Data Staged: Local Data Staging

SLOWPULSE can write logged ACE credentials to /home/perl/ in append mode, using the format string %s:%s\n.[1]

Enterprise T1556 .004 Modify Authentication Process: Network Device Authentication

SLOWPULSE can modify LDAP and two factor authentication flows by inspecting login credentials and forcing successful authentication if the provided password matches a chosen backdoor password.[1]

.006 Modify Authentication Process: Multi-Factor Authentication

SLOWPULSE can insert malicious logic to bypass RADIUS and ACE two factor authentication (2FA) flows if a designated attacker-supplied password is provided.[1]

Enterprise T1111 Multi-Factor Authentication Interception

SLOWPULSE can log credentials on compromised Pulse Secure VPNs during the DSAuth::AceAuthServer::checkUsernamePasswordACE-2FA authentication procedure.[1]

Enterprise T1027 Obfuscated Files or Information

SLOWPULSE can hide malicious code in the padding regions between legitimate functions in the Pulse Secure file.[1]

Groups That Use This Software

ID Name References
G1023 APT5