Gallium hackers backdoor finance, govt orgs using new PingPull malware

Gallium hackers backdoor finance, govt orgs using new PingPull malware

chinese hacker

The Gallium state-sponsored hacking group has been spotted using a new ‘PingPull’ remote access trojan against financial institutions and government entities in Europe, Southeast Asia, and Africa.

These entities are based in Australia, Russia, Philippines, Belgium, Vietnam, Malaysia, Cambodia, and Afghanistan.

Gallium is believed to originate from China, and its targeting scope of the telecommunications, finance, and government sectors in espionage operations aligns with the country’s interests.

In recent campaigns, Gallium is employing a new RAT (remote access trojan) named PingPull, which analysts at Unit42 (Palo Alto Networks) characterize as particularly stealthy.

Reverse shells on host

The PingPull malware is designed to give threat actors a reverse shell on the compromised machine, allowing them to execute commands remotely.

Unit42 could sample three distinct variants with similar functionality that use different C2 communication protocols, namely ICMP, HTTPS, and TCP.

PingBull HTTP beacon example
PingBull HTTP beacon example (Unit 42)

The different C2 protocols might be to evade specific network detection methods/tools, with the actors deploying the suitable variant based on preliminary reconnaissance.

In all three cases, the malware installs itself as a service and has a description simulating a legitimate service, aiming to discourage users from terminating it.

The commands that all three variants support are the following:

  • Enumerate storage volumes (A: through Z:)
  • List folder contents
  • Read File
  • Write File
  • Delete File
  • Read file, convert to hexadecimal form
  • Write file, convert from hexadecimal form
  • Copy file, sets the creation, write, and access times to match original files
  • Move file, sets the creation, write, and access times to match original files
  • Create directory
  • timestomp file
  • Run command via cmd.exe
Pingbull response to C2 command via ICMP
PingBull response to C2 command via ICMP (Unit 42)

The commands and their parameters are sent from the C2 in AES-encrypted form, which the beacon can decrypt thanks to a pair of hardcoded keys.

Gallium activities

The infrastructure that Unit 42 was able to uncover and link to Gallium operations includes over 170 IP addresses, some dating back to late 2020.

Microsoft had warned about the group in 2019, highlighting a targeting scope limited to telecommunication service providers at the time.

This snapshot of recent Gallium campaigns revealed a new RAT, which indicates that the hacking group is still an active and evolving threat.

Based on the most recent reports, Gallium has expanded that scope to include key government entities and financial institutions in Asia, Africa, Europe, and Australia.

For this reason, all vital organizations are advised to use the indicators of compromise provided in the Unit 42 report for timely threat detection.

Leave a Comment

Your email address will not be published.