"Alloy Taurus Hackers Update PingPull Malware to Target Linux Systems"

Security researchers at Palo Alto Network's Unit 42 have observed the threat actor known as Alloy Taurus deploying a new variant of the PingPull malware targeting Linux systems.  The researchers believe Alloy Taurus is a Chinese advanced persistent threat (APT) group focusing on espionage campaigns and has been active since at least 2012.  This group has historically targeted telecommunications companies operating across Asia, Europe, and Africa.  The researchers stated that in recent years, they have also observed the group expand their targeting to include financial institutions and government entities.  As part of the new campaign, the security researchers said they also saw Alloy Taurus targeting individuals in South Africa and Nepal.  Most vendors initially identified the Linux sample observed by the researchers as benign.  However, further analysis revealed that it matched the communication structure, parameters, and commands of the known PingPull malware.  The researchers noted that the malicious tool is designed to communicate with its command-and-control (C2) server using encrypted data and can receive and execute commands from the server.  The results of these commands are then sent back to the server for further action.  The researchers stated that this Linux variant of PingPull malware uses the same AES key as the original Windows PE (Preinstallation Environment) variant for encrypting its communication with the C2 server.  While investigating the C2 domain of the PingPull Linux variant, the researchers also identified an additional sample that communicated with the same domain.  This malware was found to be a backdoor, which the team called Sword2033.  The backdoor supports three essential functions: uploading and downloading files to and from the system, and executing commands.  The researchers noted that these commands are identical in value and functionality to those used by the PingPull malware.  Further analysis of the C2 infrastructure revealed links to Alloy Taurus activities.  The researchers noted that the identification of a Linux variant of PingPull malware and the recent use of the Sword2033 backdoor suggests that the group continues to evolve its operations in support of its espionage activities.

Infosecurity reports: "Alloy Taurus Hackers Update PingPull Malware to Target Linux Systems"