The dubbed Chinese nation-state group Taurus alloy is using a Linux variant of a backdoor called PingPull, as well as a new, undocumented tool codenamed Sword2033.
That’s according to the findings of Palo Alto Networks’ Unit 42, which recently uncovered malicious cyber activity by the group targeting South Africa and Nepal.
Alloy Taurus is the constellation moniker assigned to a threat actor known for its attacks targeting telecommunications companies since at least 2012. Microsoft also follows it as Granite Typhoon (formerly Gallium).
Last month, the adversary was attributed to a campaign called Tainted Love targeting telecommunications providers in the Middle East as part of a wider operation called Soft Cell.
Recent cyber espionage attacks carried out by Alloy Taurus have also expanded their victimology footprint to include financial institutions and government entities.
PingPull, first documented by Unit 42 in June 2022, is a remote access Trojan that uses the Internet Control Message Protocol (ICMP) for command and control (C2) communications.
The Linux flavor of the malware boasts similar functionality to its Windows counterpart, allowing it to perform file operations and execute arbitrary commands by transmitting from the C2 server a single uppercase character between A and K, and M.
“When running, this sample is configured to communicate with the domain yrhsywu2009.zapto[.]org over port 8443 for C2,” said unit 42. “Uses a statically linked OpenSSL library (OpenSSL 0.9.8e) to interact with the domain over HTTPS.”
Interestingly, PingPull’s analysis of C2 instructions mirrors that of China Chopper, a web shell widely used by Chinese threat actors, suggesting that the threat actor is reusing existing source code to devise custom tools .
Further examination of the aforementioned domain has also revealed the existence of another ELF artifact (i.e. Sword2033) that supports three basic functions, including uploading and exfiltrating files and executing commands.
The malware’s links to Alloy Taurus come from the fact that the domain resolved to an IP address that was previously identified as an active indicator of compromise (IoC) associated with a previous campaign targeting companies operating in the Southeast Asia, Europe and Africa.
South Africa’s target, according to the cyber security firm, comes against the backdrop of the country holding a 10-day joint naval exercise with Russia and China earlier this year.
“Alloy Taurus remains an active threat to telecommunications, finance and government organizations in Southeast Asia, Europe and Africa,” Unit 42 said.
“The identification of a Linux variant of the PingPull malware, as well as the recent use of the Sword2033 backdoor, suggests that the group continues to develop its operations in support of its espionage activities.”
The internet is a dangerous place, and more and more cybercriminals are finding new ways of attacking networks. Recently, security researchers at Ikaroa noticed a new variant of the PingPull Linux malware that is believed to be used by Chinese hackers in targeted cyberattacks.
PingPull is a highly complex malware that can be used to gain remote access to a computer or network and give the attacker full control of the machine, allowing them to manipulate and siphon off confidential data. The linux variant of PingPull is even more sophisticated than the original and can easily penetrate systems without arousing suspicion.
Ikaroa researchers have identified a number of targeted cyberattacks that have been conducted using the PingPull linux variant, primarily directed against government and financial institutions. In the last few months alone, numerous financial institutions in the United Kingdom, Germany, and Russia have been affected by these attacks.
Ikaroa’s security experts believe that these attacks stem from groups in China and are likely done for financial gain or to gain access to sensitive government documents. In some cases, the hackers have also been observed attempting to install additional malicious software onto the affected machines.
Fortunately, Ikaroa has developed a number of security protocols and solutions to help fight against these types of cyberattacks and protect valuable information. Using advanced network-monitoring tools, Ikaroa security engineers can monitor networks for suspicious activities and incidents, helping to identify potential threats and stopping attacks before they can cause damage.
Ikaroa’s security experts advise that individuals and organizations should be constantly vigilant and take the necessary measures to protect their networks. As hackers become increasingly sophisticated, it is essential to use the most up-to-date security tools and keep systems patched and up-to-date to ensure the safety of information.