Gallium APT Uses Pingpull malware – TheCyberThrone

Unit 42 from Palo Alto discovered a new, difficult-to-detect remote-access malware used by the Gallium advanced persistent threat group.

The Gallium APT group is believed to be a Chinese state-sponsored group and has a reputation for targeting telecommunications companies in Southeast Asia, Europe, and Africa.

Advertisements

Dubbed as PingPull, written in Visual C++ and provides a threat actor the ability to run commands and access a reverse shell on a compromised host. It has the capability to leverage three protocols: ICMP, HTTP(S), and raw TCP for C2. The three variants of PingPull create a custom string that it will send to the C&C server in all interactions to identify the compromised systems uniquely.

The use of ICMP in one variant is noted as a particular concern. ICMP tunneling is not a new technique, but the Unit 42 researchers note that few organizations inspect ICMP traffic on their networks, meaning that when Gallium compromises systems, the successful infiltration may not be detected.

On a successfully compromised system, PingPull has a range of demands that allows the hackers to steal data and cause issues. These include the ability to enumerate storage volumes, list folder contents, read, write, and delete files, and several other options.

The news of PingPull comes after the U.S. government warned on June 8 that Chinese hackers are targeting known vulnerabilities. The joint Cybersecurity Advisory from the NSA, CISA and the FBI detailed how hackers target and compromise major telecommunications companies and network service providers.

Advertisements

Mitigations

For Palo Alto Networks customers, our products and services provide the following coverage associated with this group:

Cortex XDR detects and protects endpoints from the PingPull malware. WildFire cloud-based threat analysis service accurately identifies PingPull malware as malicious.

Threat Prevention provides protection against PingPull malware. The “ Pingpull Command and Control Traffic Detection” signature (threat IDs 86625, 86626 and 86627) provides coverage for the ICMP, HTTP(S) and raw TCP C2 traffic.

Advanced URL Filtering and DNS Security identify domains associated with this group as malicious. Users of the AutoFocus contextual threat intelligence service can view malware associated with these attacks using the PingPull tag.

Indicators of Compromise

de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761
b4aabfb8f0327370ce80970c357b84782eaf0aabfc70f5e7340746f25252d541
fc2147ddd8613f08dd833b6966891de9e5309587a61e4b35408d56f43e72697e
c55ab8fdd060fb532c599ee6647d1d7b52a013e4d8d3223b361db86c1f43e845
f86ebeb6b3c7f12ae98fe278df707d9ebdc17b19be0c773309f9af599243d0a3
8b664300fff1238d6c741ac17294d714098c5653c3ef992907fc498655ff7c20
1ce1eb64679689860a1eacb76def7c3e193504be53ebb0588cddcbde9d2b9fe6

PingPull C2 Locations

df.micfkbeljacob[.]com
t1.hinitial[.]com
5.181.25[.]55
92.38.135[.]62
5.8.71[.]97

Domains

micfkbeljacob[.]com
df.micfkbeljacob[.]com
jack.micfkbeljacob[.]com
hinitial[.]com
t1.hinitial[.]com
v2.hinitial[.]com
v3.hinitial[.]com
v4.hinitial[.]com
v5.hinitial[.]com
goodjob36.publicvm[.]com
goodluck23.jp[.]us
helpinfo.publicvm[.]com
Mailedc.publicvm[.]com

Advertisements

IP Addresses

Related Stories

Tags: Chinese link Gallium APT Pingpull malware Security Telecommunication

Leave a ReplyCancel reply

%d bloggers like this: