Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks

A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa.

Called PingPull, the “difficult-to-detect” backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications, according to new research published by Palo Alto Networks Unit 42 today.

Gallium is notorious for its attacks primarily aimed at telecom companies dating as far back as 2012. Also tracked under the name Soft Cell by Cybereason, the state-sponsored actor has been connected to a broader set of attacks targeting five major telecom companies located in Southeast Asian countries since 2017.

Over the past year, however, the group is said to have expanded its victimology footprint to include financial institutions and government entities located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.

PingPull, a Visual C++-based malware, provides a threat actor the ability to access a reverse shell and run arbitrary commands on a compromised host. This encompasses carrying out file operations, enumerating storage volumes, and timestomping files.

“PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server,” the researchers detailed. “The C2 server will reply to these Echo requests with an Echo Reply packet to issue commands to the system.”

Also identified are PingPull variants that rely on HTTPS and TCP to communicate with its C2 server instead of ICMP and over 170 IP addresses associated with the group since late 2020.

It’s not immediately clear how the targeted networks are breached, although the threat actor is known to exploit internet-exposed applications to gain an initial foothold and deploy a modified version of the China Chopper web shell to establish persistence.

“Gallium remains an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa,” the researchers noted.

“While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…
GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of…