Chinese state-sponsored threat actor Alloy Taurus has introduced a new variant of the PingPull malware, designed to target Linux systems, Palo Alto Networks said in its investigation. Along with the new variant, the researchers also identified another backdoor called Sword2033.
Alloy Taurus, a Chinese APT, has been active since 2012. The group conducts cyberespionage campaigns in Asia, Europe and Africa. The group is known to target telecommunications companies, but in recent years it has also been seen targeting financial and government institutions.
The first samples of the PingPull malware date back to September 2021. Palo Alto Networks researchers in June 2022 described the tool’s functionality and attributed it to Alloy Taurus. PingPull is a remote access Trojan that uses the Internet Control Message Protocol (ICMP) for command and control (C2) communications.
“The identification of a Linux variant of the PingPull malware, as well as the recent use of the Sword2033 backdoor, suggests that the group continues to develop its operations in support of its espionage activities,” Palo said Alto Networks in its research.
The new Linux variant of PingPull was identified in March. Currently, three out of 62 vendors found the sample to be malicious.
Linux variant of PingPull
The Linux variant of PingPull was identified based on matching HTTP communication structure, POST parameters, AES key, and C2 commands. It uses a statically linked OpenSSL library (OpenSSL 0.9.8e) to interact with the C2 domain over HTTPS, Palo Alto Networks said in its investigation.
“The payload expects server C2 to respond with data that is Base64-encoded ciphertext, encrypted with AES using P29456789A1234sS as the key. This is the same key we previously observed in the original Windows PE variant of PingPull,” the investigative report said.
The new variant of Linux is similar to the previous version of Windows in its functionalities. It allows attackers to list, read, write, copy, rename and delete files, as well as execute commands.
PingPull also shares some features, HTTP parameters, and command handlers with China Chopper’s web shell, which the researchers say indicates: “Alloy Taurus is using code they might be familiar with and is integrating it into the development of custom tools”. the report said.
The researchers also identified another Sword2033 backdoor. The process of communicating with Sword2033’s C2 is the same as the PingPull Linux variant. This backdoor performs three functions: upload a file to the system, download a file from the system, and execute a command.
Connection with South Africa and Nepal
Although the IP addresses of the C2 domains show no connection to the South African government, investigators said the domain name gives the impression of a connection to the South African military.
“The establishment of a C2 server that appears to impersonate the South African military is singularly remarkable when viewed in the context of recent events. In February 2023, South Africa joined Russia and China in participating in combined naval exercises,” Palo Alto said in its research.
Analyzing traffic on the Sword2033 C2 server, the researchers identified sustained connections coming from an IP hosting multiple subdomains for an organization funding long-term urban infrastructure development projects in Nepal.
“Alloy Taurus remains an active threat to telecommunications, finance and government organizations in Southeast Asia, Europe and Africa,” the research report said. To protect themselves, organizations must focus on improving network security, endpoint security and security automation, Palo Alto Networks added.
Copyright © 2023 IDG Communications, Inc.
Ikaroa, a full-stack tech company, is paying attention to the latest cyber security news. Recently, Chinese hackers have released a Linux variant of the PingPull malware.
The fileless payload became known as “PingPull” after researchers noted the malware used two HTTP-based POST requests with the commands “ping” and “pull” to check communication between a malicious command and control (C2) server and its target. It was initially seen being used by attackers to spy on Windows systems, but researchers have recently discovered a version that can infect Linux systems as well.
This version of PingPull is also fileless. It uses Bash, a native command-line interface for Unix-based systems, and SSH protocol to carry out its malicious activities, like downloading new components and running arbitrary commands on the compromised machine remotely. The malware is able to exploit known bugs in the Linux kernel for privilege escalation, allowing it to gain high-level access on the victim’s machine.
This new spike in PingPull’s malicious activities should be taken seriously, as it could be used for more than espionage. The malware is capable of harvesting passwords, installing backdoor programs and carrying out other malicious activities.
At Ikaroa, we consider cyber security to be of utmost importance. We recommend that Linux users ensure their systems are up to date and running the latest security patches in order to protect themselves from threats like PingPull. They should also use reputable antivirus and anti-malware products to help detect and eliminate threats.
