The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan (RAT) that threat hunters say is difficult to detect.
The deployment of this “PingPull” RAT comes as the gang is broadening the types of organizations in its sights from telecommunications companies to financial services firms and government entities across Asia, Southeast Asia, Europe and Africa, according to researchers with Palo Alto Networks’ Unit 42 threat intelligence group.
The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control (C2) system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.
“While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks,” the Unit 42 researchers wrote in a blog post Monday.
The PingPull RAT, written in Visual C++, enables attackers to run commands and access a reverse shell on infected systems. According to Unit 42, each variant can run the same commands, ranging from listing folder contents and reading, writing and deleting files to copying and moving files, creating directories and running commands.
Gallium has been attacking telcos since at least 2012, and its activities have sometimes been attributed to another Chinese gang named APT10. Recently Gallium seems to have undergone a growth spurt.
In one Gallium attack against a telco – dubbed “Soft Cell” by threat hunters from Cybereason in 2018 – the group was observed conducting an advanced persistent attack on telco providers that used tools and techniques aimed at stealing data about specific, high-value targets and led to a total takeover of the network.
In that attack, “the threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geolocation of users, and more.”
A year later, Microsoft’s Threat Intelligence Center wrote about Gallium using publicly available exploits to target unpatched internet-facing services and known vulnerabilities in WildFly and JBoss.
In the past year, Unit 42 researchers said they’ve uncovered connections between Gallium’s infrastructure and targeted organizations in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam.
The use of PingPull by Gallium is just as important an issue as its new targeting, they suggest. Once in a compromised system, the backdoor sends a PingPull beacon to the C2, which in turn responds with a command that is encrypted using AES in “cipher block chaining” mode. PingPull uses two unique AES keys, the researchers wrote.
In the ICMP variant, “PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server. The C2 server will reply to these Echo requests with an Echo Reply packet to issue commands to the system. Both the Echo Request and Echo Reply packets used by PingPull and its C2 server will have the same structure.”
Another variant uses HTTPS to communicate with the C2, while the TCP variant uses raw TCP. It’s time for admins to check their traffic files again. ®