Chinese Hackers Expand Targets with PingPull Linux Variant: Financial and Government Entities at Risk

Reading Time: ( Word Count: )

April 26, 2023
Nextdoorsec-course

Palo Alto Networks Unit 42 has uncovered new malicious cyber activities by the Chinese nation-state group known as Alloy Taurus. The group has been using a Linux variant of a backdoor named PingPull, and a newly discovered undocumented tool called Sword2033 to carry out recent cyber espionage attacks on South Africa and Nepal. Alloy Taurus, also known as Granite Typhoon (previously Gallium) by Microsoft, has been targeting telecom companies since 2012 but has recently broadened its scope to include financial institutions and government entities.

PingPull, a remote access Trojan that uses Internet Control Message Protocol (ICMP) for command-and-control (C2) communications, was first documented by Unit 42 in June 2022. The Linux version of the malware has similar features to its Windows counterpart, allowing it to perform file operations and execute arbitrary commands by transmitting a single uppercase character between A and K and M from the C2 server. The malware communicates with the domain yrhsywu2009.zapto[.]org over port 8443 for C2 using a statically linked OpenSSL (OpenSSL 0.9.8e) library over HTTPS.

Also Read: “Lazarus Subgroup Strikes Again: New RustBucket Malware Threatens Apple” 

Chinese Hackers Expand Targets with PingPull Linux Variant

Interestingly, PingPull’s parsing of C2 instructions is similar to the China Chopper, a web shell commonly used by Chinese threat actors, indicating that the group is reusing existing source code to create custom tools. A further investigation of the domain revealed another ELF artifact, Sword2033, which can upload and exfiltrate files and execute commands. The malware’s connection to Alloy Taurus was established as the domain previously resolved to an IP address identified as an active indicator of compromise (IoC) associated with a previous campaign targeting companies in Southeast Asia, Europe, and Africa.

The targeting of South Africa by Alloy Taurus coincides with the country’s joint 10-day naval drill with Russia and China earlier this year. The cybersecurity company warned that Alloy Taurus remains a significant threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa. The discovery of a Linux variant of PingPull malware and using the Sword2033 backdoor indicates that the group is evolving its operations to support its espionage activities.

Lucas Maes

Lucas Maes

Author

Cybersecurity guru, encryption wizard, safeguarding data with 10+ yrs of IT defense expertise. Speaker & author on digital protection.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *