Palo Alto Networks Unit 42 has uncovered new malicious cyber activities by the Chinese nation-state group known as Alloy Taurus. The group has been using a Linux variant of a backdoor named PingPull, and a newly discovered undocumented tool called Sword2033 to carry out recent cyber espionage attacks on South Africa and Nepal. Alloy Taurus, also known as Granite Typhoon (previously Gallium) by Microsoft, has been targeting telecom companies since 2012 but has recently broadened its scope to include financial institutions and government entities.
PingPull, a remote access Trojan that uses Internet Control Message Protocol (ICMP) for command-and-control (C2) communications, was first documented by Unit 42 in June 2022. The Linux version of the malware has similar features to its Windows counterpart, allowing it to perform file operations and execute arbitrary commands by transmitting a single uppercase character between A and K and M from the C2 server. The malware communicates with the domain yrhsywu2009.zapto[.]org over port 8443 for C2 using a statically linked OpenSSL (OpenSSL 0.9.8e) library over HTTPS.
Interestingly, PingPull’s parsing of C2 instructions is similar to the China Chopper, a web shell commonly used by Chinese threat actors, indicating that the group is reusing existing source code to create custom tools. A further investigation of the domain revealed another ELF artifact, Sword2033, which can upload and exfiltrate files and execute commands. The malware’s connection to Alloy Taurus was established as the domain previously resolved to an IP address identified as an active indicator of compromise (IoC) associated with a previous campaign targeting companies in Southeast Asia, Europe, and Africa.
The targeting of South Africa by Alloy Taurus coincides with the country’s joint 10-day naval drill with Russia and China earlier this year. The cybersecurity company warned that Alloy Taurus remains a significant threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa. The discovery of a Linux variant of PingPull malware and using the Sword2033 backdoor indicates that the group is evolving its operations to support its espionage activities.