June 6, 2023

Researchers discovered a new Linux variant of the PingPull malware used by Chinese APT group Alloy Taurus (Gallium) has been reported as an active threat to telecommunications, finance, and government organizations.

Researchers said while they were tracking the C2 leveraged by the APT group for the PingPull Linux variant, they also found its use of another backdoor they named Sword2033.

The first samples of the PingPull malware date back to September 2021. Monitoring its use across several campaigns, the functionality of PingPull and attributed the use of the tool to Alloy Taurus. The Chinese APT group has been working since at least 2012.

Advertisements

Three out of sixty-two vendors found the sample of the Linux variant of the PingPull malware as malicious. This determination was made based on matching HTTP communication structure, POST parameters, AES keys, and C2 commands. The researchers also found that Sword2033 runs as a simple backdoor that does the following: uploads a file to the system (#up); downloads a file from the system (#dn); executes a command but appends before running it (exec /c:).

Reference – Unit42 Blog

Chinese threat actors are known for using APTs to conduct espionage, unlike other criminal groups or nation-state actors whose motives are more monetarily motivated. They can use the malware for other nefarious means.

Like other malware, this has very comprehensive command-and-control that is technically proficient, full of obfuscation tactics that utilizes IPv6, making it difficult to detect. The three variants used (TCP, HTTPs, and ICMP) make it versatile and stealthier.

Alloy Taurus stays an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe, and Africa. The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities. Organizations to use these findings to inform the deployment of protective measures to defend against this threat group.

Advertisements

This research was documented by researchers from Palo Alto Unit 42

Indicators of Compromise

PingPull Linux Variant

  • cb0922d8b130504bf9a3078743294791201789c5a3d7bc0369afd096ea15f0ae

Sword2033

  • 5ba043c074818fdd06ae1d3939ddfe7d3d35bab5d53445bc1f2f689859a87507
  • e39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253

Alloy Taurus Infrastructure

  • yrhsywu2009.zapto[.]org
  • *.saspecialforces.co[.]za
  • vpn729380678.softether[.]net
  • 5.181.25[.]99
  • 196.216.136[.]139

Leave a Reply

%d bloggers like this: