14 June 2022

Chinese Gallium APT uses previously undocumented remote access trojan PingPull


Chinese Gallium APT uses previously undocumented remote access trojan PingPull

Last month, cybersecurity firm Cybereason warned about a worldwide malicious campaign against telecommunications providers conducted by Chinese state-sponsored hacking group Gallium. Now, Palo Alto’s Unit 42 is warning about a previously undocumented remote access trojan observed in Gallium's attacks.

According to the researchers, the PingPull trojan is very difficult to detect. The malware leverages three protocols (ICMP, HTTP(S) and raw TCP) to communicate with its command-and-control servers. Using ICMP makes it more difficult to detect trojan’s command-and-control communications because many organizations usually don't implement ICMP inspection in their networks.

PingPull is a Visual C++ based trojan able to run commands and access a reverse shell on a compromised system. The researchers have identified three variants of the malware. All three versions share the same functionality but use different protocols – ICMP, HTTP(S) and raw TCP – for communications with their command-and-control infrastructure. Regardless of the variant, PingPull is able to install itself as a service on a compromised machine.

The researchers find it difficult to say how exactly the targeted networks are compromised. However, the group is known for its exploitation of internet-exposed applications to gain an initial foothold. The Gallium hackers also deploy a modified version of the China Chopper web shell to establish persistence.

Since 2012, Gallium APT attacked telecommunication providers primarily in Southeast Asia, Europe, and Africa. However, according to Cybereason, over the past year the threat actor’s list of victims expanded to include financial institutions and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. As of now, Gallium is an active global threat to telecommunication, finance and government sectors, warn the researchers.

Back to the list

Latest Posts

Zero Day Initiative cuts some vulnerability disclosure timelines

Zero Day Initiative cuts some vulnerability disclosure timelines

The new approach is aimed at forcing vendors take a quicker action when it comes to ineffective patches.
17 August 2022
Ransomware gang target UK water supplier but send ransom demand to the wrong company

Ransomware gang target UK water supplier but send ransom demand to the wrong company

The threat actors claimed to have access to water treatment SCADA systems and “these systems which control chemicals in water.”
17 August 2022
Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022