"Chinese Hackers Use New Linux Malware Variants for Espionage"

In cyberespionage attacks, hackers are deploying new Linux malware variants, such as a new PingPull variant and a previously undocumented backdoor known as Sword2033. PingPull is a Remote Access Trojan (RAT) first identified by Unit 42 in espionage attacks conducted by the Chinese state-sponsored group Gallium, also known as Alloy Taurus, last summer. The group attacked government and financial institutions in Australia, Russia, Belgium, Malaysia, Vietnam, and the Philippines. Unit 42 has continued to monitor these malicious campaigns and now reports that the Chinese threat actor is using new malware variants against targets in South Africa and Nepal. The Linux variant of PingPull is an ELF file that only three out of 62 anti-virus vendors identify as malicious. Unit 42 determined that it is a variant of the well-known Windows malware by observing similarities in the HTTP communication structure, POST parameters, AES key, and commands it receives from the threat actor's command-and-control (C2) server. This article continues to discuss new Linux malware variants used by the Chinese state-sponsored group Gallium in cyberespionage attacks.

Bleeping Computer reports "Chinese Hackers Use New Linux Malware Variants for Espionage"