S1104 SLOWPULSE
SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. SLOWPULSE has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.1
| Item | Value |
|---|---|
| ID | S1104 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 06 February 2024 |
| Last Modified | 15 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1554 | Compromise Host Software Binary | SLOWPULSE is applied in compromised environments through modifications to legitimate Pulse Secure files.2 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | SLOWPULSE can write logged ACE credentials to /home/perl/PAUS.pm in append mode, using the format string %s:%s\n.1 |
| enterprise | T1556 | Modify Authentication Process | - |
| enterprise | T1556.004 | Network Device Authentication | SLOWPULSE can modify LDAP and two factor authentication flows by inspecting login credentials and forcing successful authentication if the provided password matches a chosen backdoor password.1 |
| enterprise | T1556.006 | Multi-Factor Authentication | SLOWPULSE can insert malicious logic to bypass RADIUS and ACE two factor authentication (2FA) flows if a designated attacker-supplied password is provided.1 |
| enterprise | T1111 | Multi-Factor Authentication Interception | SLOWPULSE can log credentials on compromised Pulse Secure VPNs during the DSAuth::AceAuthServer::checkUsernamePasswordACE-2FA authentication procedure.1 |
| enterprise | T1027 | Obfuscated Files or Information | SLOWPULSE can hide malicious code in the padding regions between legitimate functions in the Pulse Secure libdsplibs.so file.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1023 | APT5 | 1 |
References
-
Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024. ↩↩↩↩↩↩↩
-
Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. ↩