1. Home
  2. Software
  3. RAPIDPULSE

RAPIDPULSE

RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has been used by APT5 since at least 2021.[1]

ID: S1113
Type: MALWARE
Platforms: Network, Linux
Version: 1.0
Created: 13 February 2024
Last Modified: 05 April 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

RAPIDPULSE retrieves files from the victim system via encrypted commands sent to the web shell.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

RAPIDPULSE listens for specific HTTP query parameters in received communications. If specific parameters match, a hard-coded RC4 key is used to decrypt the HTTP query paremter hmacTime. This decrypts to a filename that is then open, read, encrypted with the same RC4 key, base64-encoded, written to standard out, then passed as a response to the HTTP request.[1]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

RAPIDPULSE has the ability to RC4 encrypt and base64 encode decrypted files on compromised servers prior to writing them to stdout.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

RAPIDPULSE is a web shell that is capable of arbitrary file read on targeted web servers to exfiltrate items of interest on the victim device.[1]

Groups That Use This Software

ID Name References
G1023 APT5

[1]

References

  1. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.