Alloy Taurus using PingPull

11063666895?profile=RESIZE_400xSword2033

The Chinese nation-state group named Alloy Taurus is using a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033.  That is according to findings from Palo Alto Networks Unit 42, which discovered recent malicious cyber activity carried out by the group targeting South Africa and Nepal.

Alloy Taurus is the constellation-themed moniker assigned to a threat actor that is known for its attacks targeting telecom companies since at least 2012.  It is also tracked by Microsoft as Granite Typhoon (previously GALLIUM).  During March 2023, the group was attributed to a campaign called Tainted Love targeting telecommunication providers in the Middle East as part of a broader operation referred to as Soft Cell.  GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa.  To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.

Recent cyber espionage attacks mounted by Alloy Taurus have also broadened their victimology footprint to include financial institutions and government entities.   PingPull, first documented in June 2022, is a remote access trojan that employs the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications.

The Linux flavor of the malware, which was uploaded to VirusTotal on 07 March 2023, boasts of similar functionalities as its Windows counterpart, allowing it to carry out file operations and run arbitrary commands by transmitting from the C2 server a single upper case character between A and K, and M.  "Upon execution, this sample is configured to communicate with the domain yrhsywu2009.zapto[.]org over port 8443 for C2.  It uses a statically linked OpenSSL (OpenSSL 0.9.8e) library to interact with the domain over HTTPS."

Of interest to investigators, PingPull's parsing of the C2 instructions mirrors that of China Chopper, a web shell widely used by Chinese threat actors, suggesting that the threat actor is repurposing existing source code to devise custom tools.  A closer examination of the aforementioned domain has also revealed the existence of another ELF artifact (i.e., Sword2033) that supports three basic functions, including uploading and exfiltrating files to and from the system, and executing commands.

China Chopper is a web shell approximately 4 kilobytes in size, first discovered in 2012. This web shell is commonly used by malicious Chinese actors, including Advanced Persistent Threat (APT) groups, to remotely control web servers.  This web shell has two parts, the client interface (an executable file) and the receiver host file on the compromised web server.

China Chopper has many commands and control features such as a password brute-force attack option, code obfuscation, file and database management and a graphical user interface.  It originally was distributed from a website www.maicaidao.com which is now down.  Investigators revealed that the client of this web shell is programmed in Microsoft Visual C++ 6.0

The malware's links to Alloy Taurus stems from the fact that the domain resolved to an IP address that was previously identified as an active Indicator of Compromise (IoC) associated with a 2021 campaign targeting companies operating in Southeast Asia, Europe, and Africa.

The targeting of South Africa, per the cybersecurity company, comes against the backdrop of the country holding a joint 10-day naval drill with Russia and China earlier this year.  Alloy Taurus remains an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa.

The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Source: https://thehackernews.com/2023/04/chinese-hackers-using-pingpull-linux.html

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!