Researchers discovered a new Linux variant of the PingPull malware used by Chinese APT group Alloy Taurus (Gallium) has been reported as an active threat to telecommunications, finance, and government organizations.
Researchers said while they were tracking the C2 leveraged by the APT group for the PingPull Linux variant, they also found its use of another backdoor they named Sword2033.
The first samples of the PingPull malware date back to September 2021. Monitoring its use across several campaigns, the functionality of PingPull and attributed the use of the tool to Alloy Taurus. The Chinese APT group has been working since at least 2012.
Three out of sixty-two vendors found the sample of the Linux variant of the PingPull malware as malicious. This determination was made based on matching HTTP communication structure, POST parameters, AES keys, and C2 commands. The researchers also found that Sword2033 runs as a simple backdoor that does the following: uploads a file to the system (#up); downloads a file from the system (#dn); executes a command but appends before running it (exec /c:).
Chinese threat actors are known for using APTs to conduct espionage, unlike other criminal groups or nation-state actors whose motives are more monetarily motivated. They can use the malware for other nefarious means.
Like other malware, this has very comprehensive command-and-control that is technically proficient, full of obfuscation tactics that utilizes IPv6, making it difficult to detect. The three variants used (TCP, HTTPs, and ICMP) make it versatile and stealthier.
Alloy Taurus stays an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe, and Africa. The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities. Organizations to use these findings to inform the deployment of protective measures to defend against this threat group.
This research was documented by researchers from Palo Alto Unit 42
Indicators of Compromise
PingPull Linux Variant
Alloy Taurus Infrastructure