PULSECHECK

PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) companies.^[1]

ID: S1108

ⓘ

Type: MALWARE

ⓘ

Platforms: Network, Linux

Version: 1.0

Created: 08 February 2024

Last Modified: 10 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	PULSECHECK can check HTTP request headers for a specific backdoor key and if found will output the result of the command in the variable `HTTP_X_CMD.`^[1]
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	PULSECHECK can use Unix shell script for command execution.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	PULSECHECK can base-64 encode encrypted data sent through C2.^[1]
Enterprise	T1505	.003	Server Software Component: Web Shell	PULSECHECK is a web shell that can enable command execution on compromised servers.^[1]

Groups That Use This Software

ID	Name	References
G1023	APT5	^[1]

References

Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.

PULSECHECK

Enterprise Layer

Techniques Used

Groups That Use This Software

References