"Cyberespionage Attacks by Chinese 'Gallium' Hackers Are Employing New PingPull Malware"
Gallium, a Chinese Advanced Persistent Threat (APT) group, has been observed using a previously unknown Remote Access Trojan (RAT) in espionage attacks against firms in Southeast Asia, Europe, and Africa. The "difficult-to-detect" backdoor known as PingPull, according to a recent study published by Palo Alto Networks Unit 42, is unique because it uses the Internet Control Message Protocol (ICMP) for Command-and-Control (C2) communications. Gallium has been known for launching cyberattacks on telecommunications companies since 2012. Since 2017, the state-sponsored actor, also known as Soft Cell by Cybereason, has been linked to a broader range of attacks against five major Southeast Asian telecommunications corporations. However, over the last year, the group's victimology footprint has expanded to include financial institutions and government bodies in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. PingPull, a Visual C++-based malware, can be used by a threat actor to gain access to a reverse shell and execute arbitrary commands on a compromised computer. This includes file operations, timestamping files, and enumerating storage volumes. PingPull samples that use ICMP for C2 communications send ping packets to the C2 server. To issue commands to the system, the C2 server will respond to these Echo requests with an Echo Reply packet. PingPull variants that communicate with their C2 server via HTTPS and TCP rather than ICMP have also been discovered. More than 170 IP addresses have been associated with the organization since late 2020. Although the threat actor is known to attack Internet-exposed programs to gain an initial foothold and then deploy a customized version of the China Chopper web shell to gain persistence, it is unclear how the targeted networks are compromised. This article continues to discuss the Gallium APT group's use of new PingPull malware.