Gallium APT Uses Pingpull malware

Unit 42  from Palo Alto discovered a new, difficult-to-detect remote-access malware used by the Gallium advanced persistent threat group.

The Gallium APT group is believed to be a Chinese state-sponsored group and has a reputation for targeting telecommunications companies in Southeast Asia, Europe, and Africa.

Dubbed as PingPull, written in Visual C++ and provides a threat actor the ability to run commands and access a reverse shell on a compromised host. It has the capability to leverage three protocols: ICMP, HTTP(S), and raw TCP for C2. The three variants of PingPull create a custom string that it will send to the C&C server in all interactions to identify the compromised systems uniquely.

The use of ICMP in one variant is noted as a particular concern. ICMP tunneling is not a new technique, but the Unit 42 researchers note that few organizations inspect ICMP traffic on their networks, meaning that when Gallium compromises systems, the successful infiltration may not be detected.

On a successfully compromised system, PingPull has a range of demands that allows the hackers to steal data and cause issues. These include the ability to enumerate storage volumes, list folder contents, read, write, and delete files, and several other options.

The news of PingPull comes after the U.S. government warned on June 8 that Chinese hackers are targeting known vulnerabilities. The joint Cybersecurity Advisory from the NSA, CISA and the FBI detailed how hackers target and compromise major telecommunications companies and network service providers.

Mitigations

For Palo Alto Networks customers, our products and services provide the following coverage associated with this group:

Cortex XDR detects and protects endpoints from the PingPull malware. WildFire cloud-based threat analysis service accurately identifies PingPull malware as malicious.

Threat Prevention provides protection against PingPull malware. The “ Pingpull Command and Control Traffic Detection” signature (threat IDs 86625, 86626 and 86627) provides coverage for the ICMP, HTTP(S) and raw TCP C2 traffic.

Advanced URL Filtering and DNS Security identify domains associated with this group as malicious. Users of the AutoFocus contextual threat intelligence service can view malware associated with these attacks using the PingPull tag.

Indicators of Compromise

• de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761
• b4aabfb8f0327370ce80970c357b84782eaf0aabfc70f5e7340746f25252d541
• fc2147ddd8613f08dd833b6966891de9e5309587a61e4b35408d56f43e72697e
• c55ab8fdd060fb532c599ee6647d1d7b52a013e4d8d3223b361db86c1f43e845
• f86ebeb6b3c7f12ae98fe278df707d9ebdc17b19be0c773309f9af599243d0a3
• 8b664300fff1238d6c741ac17294d714098c5653c3ef992907fc498655ff7c20
• ​​1ce1eb64679689860a1eacb76def7c3e193504be53ebb0588cddcbde9d2b9fe6

PingPull C2 Locations

• df.micfkbeljacob[.]com
• t1.hinitial[.]com
• 5.181.25[.]55
• 92.38.135[.]62
• 5.8.71[.]97

Domains

• micfkbeljacob[.]com
• df.micfkbeljacob[.]com
• jack.micfkbeljacob[.]com
• hinitial[.]com
• t1.hinitial[.]com
• v2.hinitial[.]com
• v3.hinitial[.]com
• v4.hinitial[.]com
• v5.hinitial[.]com
• goodjob36.publicvm[.]com
• goodluck23.jp[.]us
• helpinfo.publicvm[.]com
• Mailedc.publicvm[.]com

IP Addresses

• 92.38.135[.].62
• 5.181.25[.]55
• 5.8.71[.]97
• 101.36.102[.]34
• 101.36.102[.]93
• 101.36.114[.]167
• 101.36.123[.]191
• 103.116.47[.]65
• 103.179.188[.]93
• 103.22.183[.]131
• 103.22.183[.]138
• 103.22.183[.]141
• 103.22.183[.]146
• 103.51.145[.]143
• 103.61.139[.]71
• 103.61.139[.]72
• 103.61.139[.]75
• 103.61.139[.]78
• 103.61.139[.]79
• 103.78.242[.]62
• 118.193.56[.]130
• 118.193.62[.]232
• 123.58.196[.]208
• 123.58.198[.]205
• 123.58.203[.]19
• 128.14.232[.]56
• 152.32.165[.]70
• 152.32.203[.]199
• 152.32.221[.]222
• 152.32.245[.]157
• 154.222.238[.]50
• 154.222.238[.]51
• 165.154.52[.]41
• 165.154.70[.]51
• 167.88.182[.]166
• 176.113.71[.]62
• 2.58.242[.]230
• 2.58.242[.]231
• 2.58.242[.]235
• 202.87.223[.]27
• 212.115.54[.]54
• 37.61.229[.]104
• 45.116.13[.]153
• 45.128.221[.]61
• 45.128.221[.]66
• 45.136.187[.]98
• 45.14.66[.]230
• 45.154.14[.]132
• 45.154.14[.]164
• 45.154.14[.]188
• 45.154.14[.]254
• 45.251.241[.]74
• 45.251.241[.]82
• 45.76.113[.]163
• 47.254.192[.]79
• 92.223.30[.]232
• 92.223.30[.]52
• 92.223.90[.]174
• 92.223.93[.]148
• 92.223.93[.]222
• 92.38.139[.]170
• 92.38.149[.]101
• 92.38.149[.]241
• 92.38.171[.]127
• 92.38.176[.]47
• 107.150.127[.]124
• 118.193.56[.]131
• 176.113.71[.]168
• 185.239.227[.]12
• 194.29.100[.]173
• 2.58.242[.]236
• 45.128.221[.]182
• 45.154.14[.]191
• 47.254.250[.]117
• 79.133.124[.]88
• 103.137.185[.]249
• 103.61.139[.]74
• 107.150.112[.]211
• 107.150.127[.]140
• 146.185.218[.]65
• 152.32.221[.]242
• 165.154.70[.]62
• 176.113.68[.]12
• 185.101.139[.]176
• 188.241.250[.]152
• 188.241.250[.]153
• 193.187.117[.]144
• 196.46.190[.]27
• 2.58.242[.]229
• 2.58.242[.]232
• 37.61.229[.]106
• 45.128.221[.]172
• 45.128.221[.]186
• 45.128.221[.]229
• 45.134.169[.]147
• 103.170.132[.]199
• 107.150.110[.]233
• 152.32.255[.]145
• 167.88.182[.]107
• 185.239.226[.]203
• 185.239.227[.]34
• 45.128.221[.]169
• 45.136.187[.]41
• 137.220.55[.]38
• 45.133.238[.]234
• 103.192.226[.]43
• 92.38.149[.]88
• 5.188.33[.]237
• 146.185.218[.]176
• 43.254.218[.]104
• 43.254.218[.]57
• 43.254.218[.]98
• 92.223.59[.]84
• 43.254.218[.]43
• 81.28.13[.]48
• 89.43.107[.]191
• 103.123.134[.]145
• 103.123.134[.]161
• 103.123.134[.]165
• 103.85.24[.]81
• 212.115.54[.]241
• 43.254.218[.]114
• 89.43.107[.]190
• 103.123.134[.]139
• 103.123.134[.]240
• 103.85.24[.]121
• 103.169.91[.]93
• 103.169.91[.]94
• 45.121.50[.]230