A known Chinese state-sponsored threat actor has been seen using a new Remote Access Trojan (RAT) in its espionage campaigns against companies around the world. Cybersecurity researchers at Unit 42, the cybersecurity arm of Palo Alto Networks, recently released a report claiming that Gallium, as the threat actor is known, uses malware (opens in a new tab) called Ping Pull .

PingPull is a "hard to detect" backdoor that communicates with your command and control (C2) server via the not-so-common Internet Control Message Protocol (ICMP). It is based on C++ and allows hackers to execute arbitrary commands on the compromised endpoint (opens in a new tab).

"PingPull samples that use ICMP for C2 communications send ICMP echo request (ping) packets to the C2 server," the report says. "Server C2 will respond to these echo requests with an echo reply packet to send commands to the system."

destination telecommunications

Unit 42 also found versions of PingPull that communicate over HTTPS and TCP, as well as over 170 IP addresses (opens in a new tab) that may be associated with Gallium.

The state-sponsored threat actor was first spotted a decade ago, after which it was linked to attacks against five major telecommunications companies in Southeast Asia, according to the publication. Gallium has also been observed attacking businesses in Europe and Africa. Cybereason also calls it Soft Cell.

The jury is still out on how the group managed to compromise target networks, with the media speculating that it did not deviate much from its usual methodology of exploiting Internet-exposed applications. It would then use these applications to deploy viruses (opens in a new tab) or the China Chopper web shell.

"Gallium remains an active threat to telecommunications, finance, and government organizations in Southeast Asia, Europe, and Africa," the researchers added. "Although the use of ICMP tunnels is not a new technique, PingPull uses ICMP to make it harder to detect its C2 communications, as few organizations implement ICMP traffic inspection on their networks."

Via: Hacker News (Opens in a new tab)

Share This