Chinese APT Actor Gallium Adds PingPull RAT to Its ArsenalGroup Is Known for Attacking Telecoms, Finance and Government Organizations
A hacking group suspected of ties with the Chinese government and known for targeting telecommunication companies across Southeast Asia, Europe and Africa is using a new remote access Trojan dubbed PingPull, according to researchers at Palo Alto Networks' Unit 42.
The group, known as Gallium and as Operation Soft Cell, deployed PingPull over the past year to support espionage activities with targeted attacks affecting nine nations: Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam. The group's focus has widened to include the financial and public sectors, Unit 42 warns.
The group's activities carry telltale signs of Chinese state sponsorship that include a sector-specific focus and use of known Chinese threat actor malware and tactics, techniques and procedures, researchers say.
Cybersecurity firm Cybereason previously reported that Operation Soft Cell has been in operation at least since 2012.
Part of what makes PingPull so difficult to detect is its use of Internet Control Message Protocol for command and control messages. ICMP tunneling is hardly a new technique, but few organizations inspect the network device error message protocol, Unit 42 says. Variants make use of HTTPS and TCP.
The malware provides operators the ability to access a reverse shell on infected hosts, a technique developed to circumvent firewall restrictions by having the host initiate contact with the hacker.
The researchers say that commands are sent in an encrypted format using AES in cipher block chaining mode and encode with base64, which the PingPull beacon decrypts using hard-coded keys.