Cybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks

Chinese APT Actor Gallium Adds PingPull RAT to Its Arsenal

Group Is Known for Attacking Telecoms, Finance and Government Organizations
Chinese APT Actor Gallium Adds PingPull RAT to Its Arsenal

A hacking group suspected of ties with the Chinese government and known for targeting telecommunication companies across Southeast Asia, Europe and Africa is using a new remote access Trojan dubbed PingPull, according to researchers at Palo Alto Networks' Unit 42.

See Also: OnDemand | What’s Old is New Again: Protecting Yourself From Check Fraud

The group, known as Gallium and as Operation Soft Cell, deployed PingPull over the past year to support espionage activities with targeted attacks affecting nine nations: Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam. The group's focus has widened to include the financial and public sectors, Unit 42 warns.

The group's activities carry telltale signs of Chinese state sponsorship that include a sector-specific focus and use of known Chinese threat actor malware and tactics, techniques and procedures, researchers say.

Cybersecurity firm Cybereason previously reported that Operation Soft Cell has been in operation at least since 2012.

PingPull Capabilities

Part of what makes PingPull so difficult to detect is its use of Internet Control Message Protocol for command and control messages. ICMP tunneling is hardly a new technique, but few organizations inspect the network device error message protocol, Unit 42 says. Variants make use of HTTPS and TCP.

The malware provides operators the ability to access a reverse shell on infected hosts, a technique developed to circumvent firewall restrictions by having the host initiate contact with the hacker.

The researchers say that commands are sent in an encrypted format using AES in cipher block chaining mode and encode with base64, which the PingPull beacon decrypts using hard-coded keys.


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent, ISMG

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.