STEADYPULSE
STEADYPULSE is a web shell that infects targeted Pulse Secure VPN servers through modification of a legitimate Perl script that was used as early as 2020 including in activity against US Defense Industrial Base (DIB) entities.[1]
ID: S1112
ⓘ
Type: MALWARE
ⓘ
Platforms: Network
Version: 1.0
Created: 09 February 2024
Last Modified: 09 February 2024
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
STEADYPULSE can parse web requests made to a targeted server to determine the next stage of execution.[1] |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
STEADYPULSE can transmit URL encoded data over C2.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
STEADYPULSE can URL decode key/value pairs sent over C2.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
STEADYPULSE can add lines to a Perl script on a targeted server to import additional Perl modules.[1] |
|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
STEADYPULSE is a web shell that can enable the execution of arbitrary commands on compromised web servers.[1] |