Chinese hackers launch Linux variant of PingPull malware

Chinese state-sponsored threat actor Alloy Taurus has introduced a new variant of the PingPull malware, designed to target Linux systems, Palo Alto Networks said in its investigation. Along with the new variant, the researchers also identified another backdoor called Sword2033.

Alloy Taurus, a Chinese APT, has been active since 2012. The group conducts cyberespionage campaigns in Asia, Europe and Africa. The group is known to target telecommunications companies, but in recent years it has also been seen targeting financial and government institutions.

The first samples of the PingPull malware date back to September 2021. Palo Alto Networks researchers in June 2022 described the tool’s functionality and attributed it to Alloy Taurus. PingPull is a remote access Trojan that uses the Internet Control Message Protocol (ICMP) for command and control (C2) communications.

“The identification of a Linux variant of the PingPull malware, as well as the recent use of the Sword2033 backdoor, suggests that the group continues to develop its operations in support of its espionage activities,” Palo said Alto Networks in its research.

The new Linux variant of PingPull was identified in March. Currently, three out of 62 vendors found the sample to be malicious.

Linux variant of PingPull

The Linux variant of PingPull was identified based on matching HTTP communication structure, POST parameters, AES key, and C2 commands. It uses a statically linked OpenSSL library (OpenSSL 0.9.8e) to interact with the C2 domain over HTTPS, Palo Alto Networks said in its investigation.

Copyright © 2023 IDG Communications, Inc.

Source link

Ikaroa, a full-stack tech company, is paying attention to the latest cyber security news. Recently, Chinese hackers have released a Linux variant of the PingPull malware.

The fileless payload became known as “PingPull” after researchers noted the malware used two HTTP-based POST requests with the commands “ping” and “pull” to check communication between a malicious command and control (C2) server and its target. It was initially seen being used by attackers to spy on Windows systems, but researchers have recently discovered a version that can infect Linux systems as well.

This version of PingPull is also fileless. It uses Bash, a native command-line interface for Unix-based systems, and SSH protocol to carry out its malicious activities, like downloading new components and running arbitrary commands on the compromised machine remotely. The malware is able to exploit known bugs in the Linux kernel for privilege escalation, allowing it to gain high-level access on the victim’s machine.

This new spike in PingPull’s malicious activities should be taken seriously, as it could be used for more than espionage. The malware is capable of harvesting passwords, installing backdoor programs and carrying out other malicious activities.

At Ikaroa, we consider cyber security to be of utmost importance. We recommend that Linux users ensure their systems are up to date and running the latest security patches in order to protect themselves from threats like PingPull. They should also use reputable antivirus and anti-malware products to help detect and eliminate threats.


Leave a Reply

Your email address will not be published. Required fields are marked *