SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)

SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industrial Base (DIB) companies. SLOWPULSE has several variants and can modify legitimate Pulse Secure VPN files in order to log credentials and bypass single and two-factor authentication flows.(Citation: Mandiant Pulse Secure Zero-Day April 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49)	Attack Pattern	1
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc)	Attack Pattern	SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	1
SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd)	Attack Pattern	1
SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5)	Attack Pattern	1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	SLOWPULSE - S1104 (f8fc98ac-ad6d-44db-b6e2-f0c6eb4eace4)	Malware	1
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	2
Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	Network Device Authentication - T1556.004 (fa44a152-ac48-441e-a524-dd7b04b8adcd)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	2