1. Home
  2. Software
  3. SLOWPULSE

SLOWPULSE

SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. SLOWPULSE has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.[1]

ID: S1104
Type: MALWARE
Platforms: Network
Version: 1.0
Created: 06 February 2024
Last Modified: 08 February 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1554 主机软件二进制文件妥协

SLOWPULSE is applied in compromised environments through modifications to legitimate Pulse Secure files.[2]
Enterprise T1556 .004 修改身份验证过程: Network Device Authentication

SLOWPULSE can modify LDAP and two factor authentication flows by inspecting login credentials and forcing successful authentication if the provided password matches a chosen backdoor password.[1]
.006 修改身份验证过程: Multi-Factor Authentication

SLOWPULSE can insert malicious logic to bypass RADIUS and ACE two factor authentication (2FA) flows if a designated attacker-supplied password is provided.[1]
Enterprise T1111 多因素身份验证拦截

SLOWPULSE can log credentials on compromised Pulse Secure VPNs during the DSAuth::AceAuthServer::checkUsernamePasswordACE-2FA authentication procedure.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

SLOWPULSE can write logged ACE credentials to /home/perl/PAUS.pm in append mode, using the format string %s:%s\n.[1]
Enterprise T1027 混淆文件或信息

SLOWPULSE can hide malicious code in the padding regions between legitimate functions in the Pulse Secure libdsplibs.so file.[1]

Groups That Use This Software

ID Name References
G1023 APT5

[1]

References

  1. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  1. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.