A well-known Chinese state-sponsored threat actor has been seen using a brand new remote access trojan (RAT) in its espionage campaigns against companies around the world. Cybersecurity researchers from Unit 42, Palo Alto Networks’ cybersecurity arm, published a report recently, saying that Gallium, as the threat actor is known, is using malware (opens in new tab) called PingPull.
PingPull is a “difficult-to-detect” backdoor that communicates with its command & control (C2) server via Internet Control Message Protocol (ICMP), which is not that common. It’s built on C++, and allows threat actors to run arbitrary commands on the compromised endpoint (opens in new tab).
“PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server,” the report states. The report states that the Echo request will be answered by the C2 server with an Echo Reply packet. This Echo reply packet will allow you to send commands to your system. “
Unit 42 also found versions of PingPull that communicate via HTTPS and TCP, as well as more than 170 IP addresses (opens in new tab) that can be associated with Gallium.
The state-sponsored threat actor was first spotted a decade ago, after which it was being linked with the attacks on five major telecommunications companies in southeast Asia, the publication says. Gallium was also seen attacking European and African businesses. Cybereason calls it Soft Cell.
The jury is still out on how the group managed to compromise the target networks, with the media speculating it didn’t deviate much from its usual methodology of exploiting internet-exposed applications. It would then use these apps to deploy viruses (opens in new tab), or the China Chopper web shell.
“Gallium remains an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa,” the researchers added. “While ICMP tunneling is not a new technology, PingPull uses ICMP in order to make it harder to detect its C2 communications. Few organizations have implemented inspections of ICMP traffic on their network. “