“Chinese Hackers Expand Targets with PingPull Linux Variant: Financial and Government Entities at Risk”

Reading Time: ( Word Count: )

April 26, 2023
Nextdoorsec-course

Palo Alto Networks Unit 42 has uncovered new malicious cyber activities by the Chinese nation-state group known as Alloy Taurus. The group has been using a Linux variant of a backdoor named PingPull, and a newly discovered undocumented tool called Sword2033 to carry out recent cyber espionage attacks on South Africa and Nepal. Alloy Taurus, also known as Granite Typhoon (previously Gallium) by Microsoft, has been targeting telecom companies since 2012 but has recently broadened its scope to include financial institutions and government entities.

PingPull, a remote access Trojan that uses Internet Control Message Protocol (ICMP) for command-and-control (C2) communications, was first documented by Unit 42 in June 2022. The Linux version of the malware has similar features to its Windows counterpart, allowing it to perform file operations and execute arbitrary commands by transmitting a single uppercase character between A and K and M from the C2 server. The malware communicates with the domain yrhsywu2009.zapto[.]org over port 8443 for C2 using a statically linked OpenSSL (OpenSSL 0.9.8e) library over HTTPS.

Also Read: “Lazarus Subgroup Strikes Again: New RustBucket Malware Threatens Apple” 

Chinese Hackers Expand Targets with PingPull Linux Variant

Interestingly, PingPull’s parsing of C2 instructions is similar to the China Chopper, a web shell commonly used by Chinese threat actors, indicating that the group is reusing existing source code to create custom tools. A further investigation of the domain revealed another ELF artifact, Sword2033, which can upload and exfiltrate files and execute commands. The malware’s connection to Alloy Taurus was established as the domain previously resolved to an IP address identified as an active indicator of compromise (IoC) associated with a previous campaign targeting companies in Southeast Asia, Europe, and Africa.

The targeting of South Africa by Alloy Taurus coincides with the country’s joint 10-day naval drill with Russia and China earlier this year. The cybersecurity company warned that Alloy Taurus remains a significant threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa. The discovery of a Linux variant of PingPull malware and using the Sword2033 backdoor indicates that the group is evolving its operations to support its espionage activities.

Saher

Saher

Author

Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Top AI Cybersecurity Companies to Consider in 2023

Top AI Cybersecurity Companies to Consider in 2023

Artificial intelligence (AI) has appeared as a powerful tool in cybersecurity. As the rate and sophistication of ...
60 Chat GPT Prompts for Cyber Security by Experts

60 Chat GPT Prompts for Cyber Security by Experts

Chat GPT, powered by advanced natural language processing and artificial intelligence techniques, has emerged as a ...
Penetration Testing vs. Security Testing: Unraveling the Differences

Penetration Testing vs. Security Testing: Unraveling the Differences

In today's increasingly interconnected world, ensuring the security of digital systems and networks is paramount. ...
Internal vs. External Penetration Testing: Making the Right Choice

Internal vs. External Penetration Testing: Making the Right Choice

Penetration testing, often called pen testing, is crucial to ensuring the security and resilience of computer ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *