Chinese threat groups continue to deploy new malware strains on the compromised network of dozens of US and EU organizations after exploiting vulnerable Pulse Secure VPN appliances.

As FireEye threat analysts revealed last month, state-sponsored threat actors were exploiting a recently patched zero-day in the Pulse Connect Secure gateways.

After compromising the targeted devices, they deployed malware to maintain long-term access to networks, collect credentials, and steal proprietary data.

“We now assess that espionage activity by UNC2630 and UNC2717 supports key Chinese government priorities,” FireEye said in a follow-up report published on Thursday.

“Many compromised organizations operate in verticals and industries aligned with Beijing’s strategic objectives outlined in China’s recent 14th Five Year Plan.”

New malware deployed on US, EU orgs’ networks

In the previous report, FireEye mentioned 12 malware families found on and specifically designed to infect Pulse Secure VPN appliances.

According to FireEye’s threat analysts, the malware used by the Chinese cyberspies before issuing the first report includes:

  • UNC2630 targeted US DIB companies with SLOWPULSE, RADIALPULSE, THINBLOOD, ATRIUM, PACEMAKER, SLIGHTPULSE, and PULSECHECK as early as August 2020 until March 2021.
  • UNC2717 targeted global government agencies between October 2020 and March 2021 using HARDPULSE, QUIETPULSE, AND PULSEJUMP.

Since then, FireEye discovered that the UNC2630 Chinese threat actors installed the following four more malware strains, bringing the total to 16 malware families custom-tailored for compromising Pulse Secure VPN appliances.

Malware Family Description
BLOODMINE is a utility for parsing Pulse Secure Connect log files. It extracts information related to logins, Message IDs and Web Requests and copies the relevant data to another file.
BLOODBANK is a credential theft utility that parses two files containing password hashes or plaintext passwords and expects an output file to be given at the command prompt.
CLEANPULSE is a memory patching utility that may be used to prevent certain log events from occurring. It was found in close proximity to an ATRIUM webshell.
RAPIDPULSE is a webshell capable of arbitrary file read. As is common with other webshells, RAPIDPULSE exists as a modification to a legitimate Pulse Secure file. RAPIDPULSE can serve as an encrypted file downloader for the attacker.

FireEye is still collecting evidence and responding to more incidents linked to  Pulse Secure VPN appliance compromises at US and European organizations across several verticals, including defense, government, high tech, transportation, and financial sectors.

“Targets of Chinese cyber espionage operations are often selected for their alignment with national strategic goals, and there is a strong correlation between pillar industries listed in policy white papers and targets of Chinese cyber espionage activity,” the threat analysts said.

Attack distribution
Attack distribution (FireEye)

Signs of threat actors cleaning up their tracks

While investigating these attacks, FireEye also discovered evidence that the threat actors kept track of the company’s research.

As the analysts found, before FireEye’s first report on UNC2630 and UNC2717, the threat actors began removing their malware from some of the compromised systems.

“Between April 17th and 20th, 2021, Mandiant incident responders observed UNC2630 access dozens of compromised devices and remove webshells like ATRIUM and SLIGHTPULSE,” the researchers said.

“It is unusual for Chinese espionage actors to remove a large number of backdoors across several victim environments on or around the time of public disclosure. This action displays an interesting concern for operational security and a sensitivity to publicity.”

“Both UNC2630 and UNC2717 display advanced tradecraft and go to impressive lengths to avoid detection. The actors modify file timestamps and regularly edit or delete forensic evidence such as logs, web server core dumps, and files staged for exfiltration.” 

CISA also updated the alert regarding the exploitation of Pulse Connect Secure vulnerabilities to include the new techniques, tactics, and procedures (TTPs) and indicators of compromise (IOCs) discovered by FireEye.

The US federal agency also updated the mitigation measures and urges organizations that find evidence of exploitation on their networks to check the guidance published by Ivanti, Pulse Secure’s parent company.