China-Sponsored Gallium Upgrades Using Sneaky PingPull RAT • The Register

The Gallium Group, believed to be a Chinese state-sponsored team, is going to war with an updated Remote Access Trojan (RAT) that threat hunters say is difficult to detect.

The deployment of this “ping-pull” RAT comes as the gang expands the types of organizations in its sights from telecommunications companies to financial services companies and government agencies across Asia, Southeast Asia, Europe and Africa, according to researchers at Palo Alto Networks’ Unit 42 Threat Intelligence Group.

The backdoor comes in three flavors in a compromised system, each of which can communicate with the Command and Control (C2) system using one of three protocols: ICMP, HTTPS, and Raw TCP. All three PingPull variants have the same functionality, but each creates a custom code string that it sends to the C2 server, which uses the unique string to identify the compromised system.

“While using ICMP tunneling is not a new technique, PingPull uses ICMP to make its C2 communications more difficult to detect, as few organizations implement inspection of ICMP traffic on their networks,” Unit 42 researchers wrote on Monday in a blog post.

Written in Visual C++, the PingPull RAT allows attackers to run commands and access a reverse shell on infected systems. According to Unit 42, each variant can execute the same commands, ranging from listing folder contents, reading, writing, and deleting files, to copying and moving files, creating directories, and executing commands.

Gallium has been targeting telecom companies since at least 2012, and its activities have sometimes been attributed to another Chinese gang known as APT10. Recently, gallium seems to have experienced a growth spurt.

Tainted Love

In a 2018 Gallium attack on a telecom company — dubbed a “soft cell” by Cybereason threat hunters — the group was seen conducting an advanced, sustained attack on telecom providers using targeted tools and techniques , stealing data on specific, high-value targets led to a complete takeover of the network.

In this attack, “The attacker attempted to steal all data stored in Active Directory and compromised every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, login credentials, email servers and geolocation of users and more.”

A year later, Microsoft’s Threat Intelligence Center wrote about Gallium using publicly available exploits to attack unpatched internet services and known vulnerabilities in WildFly and JBoss.

Over the past year, Unit 42 researchers said they uncovered links between gallium’s infrastructure and target organizations in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam.

Gallium’s use of PingPull is as important an issue as the new direction, they suggest. Once in a compromised system, the backdoor sends a PingPull beacon to the C2, which in turn responds with a command encrypted using AES in cipher block chaining mode. PingPull uses two unique AES keys, the researchers wrote.

In the ICMP variant, “PingPull examples that use ICMP for C2 communication issue ICMP Echo Request packets (ping) to the C2 server. The C2 server responds to these echo requests with an echo reply packet to send commands to the system. Echo request and echo reply packets used by PingPull and its C2 server have the same structure. “

Another variant uses HTTPS to communicate with the C2, while the TCP variant uses raw TCP. It’s time for admins to re-examine their traffic files. ®

About Willie Ash

Check Also

MediaTek Genio 1200 Linux System-on-Module supports Cortex-A78/A55 AIoT development kit

ADLINK Technology just introduced the SMARC 2.1 compliant LEC-MTK-I12000 System-on-Module (SoM) powered by a MediaTek …