Last month, cybersecurity firm Cybereason warned about a worldwide malicious campaign against telecommunications providers conducted by Chinese state-sponsored hacking group Gallium. Now, Palo Alto’s Unit 42 is warning about a previously undocumented remote access trojan observed in Gallium's attacks.
According to the researchers, the PingPull trojan is very difficult to detect. The malware leverages three protocols (ICMP, HTTP(S) and raw TCP) to communicate with its command-and-control servers. Using ICMP makes it more difficult to detect trojan’s command-and-control communications because many organizations usually don't implement ICMP inspection in their networks.
PingPull is a Visual C++ based trojan able to run commands and access a reverse shell on a compromised system. The researchers have identified three variants of the malware. All three versions share the same functionality but use different protocols – ICMP, HTTP(S) and raw TCP – for communications with their command-and-control infrastructure. Regardless of the variant, PingPull is able to install itself as a service on a compromised machine.
The researchers find it difficult to say how exactly the targeted networks are compromised. However, the group is known for its exploitation of internet-exposed applications to gain an initial foothold. The Gallium hackers also deploy a modified version of the China Chopper web shell to establish persistence.
Since 2012, Gallium APT attacked telecommunication providers primarily in Southeast Asia, Europe, and Africa. However, according to Cybereason, over the past year the threat actor’s list of victims expanded to include financial institutions and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. As of now, Gallium is an active global threat to telecommunication, finance and government sectors, warn the researchers.