This devious new Chinese malware uses a never before seen trojan
A known state-sponsored group is on the move
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A well-known Chinese state-sponsored threat actor has been seen using a brand new remote access trojan (RAT) in its espionage campaigns against companies around the world. Cybersecurity researchers from Unit 42, Palo Alto Networks’ cybersecurityarm, published a report recently, saying that Gallium, as the threat actor is known, is usingmalwarecalled PingPull.
PingPull is a “difficult-to-detect” backdoor that communicates with its command & control (C2) server via Internet Control Message Protocol (ICMP), which is not that common. It’s built on C++, and allows threat actors to run arbitrary commands on the compromisedendpoint.
“PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server,” the report states. “The C2 server will reply to these Echo requests with an Echo Reply packet to issue commands to the system.”
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.
Targeting telecoms
Unit 42 also found versions of PingPull that communicate via HTTPS and TCP, as well as more than 170IP addressesthat can be associated with Gallium.
The state-sponsored threat actor was first spotted a decade ago, after which it was being linked with the attacks on five major telecommunications companies in southeast Asia, the publication says. Gallium was also observed attacking businesses in Europe, as well as Africa. Cybereason also calls it Soft Cell.
Cyberattacks draining telecoms’ resources>UK internet phone providers hit by major cyberattacks>Cyberattacks on businesses saw a huge rise in 2021
The jury is still out on how the group managed to compromise the target networks, with the media speculating it didn’t deviate much from its usual methodology of exploiting internet-exposed applications. It would then use these apps to deployviruses, or the China Chopper web shell.
“Gallium remains an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa,” the researchers added. “While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via:Hacker News
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Washington state court systems taken offline following cyberattack
Is it still worth using Proton VPN Free?
Top 3 things you have to try with the new ChatGPT search
