Hackers From China Seen Using Linux PingPull Version in Targeted Cyberattacks

Hackers From China Seen Using Linux PingPull Version in Targeted Cyberattacks

A new undocumented tool with the codename Sword2033 and a Linux backdoor variation known as PingPull are being used by the Chinese nation-state group known as Alloy Taurus.

According to research from Palo Alto Networks Unit 42, the gang recently engaged in harmful cyber operations directed against South Africa and Nepal. A threat actor notorious for cyberattacks on telecom businesses since at least 2012 has been given the constellation-themed alias Alloy Taurus. Microsoft also keeps track of it as Granite Typhoon (previously Gallium).

The attacker was linked to Tainted Love, a campaign launched last month against Middle Eastern telecom companies as part of a more extensive operation known as Soft Cell. Financial institutions and governmental organizations are now included in the victimology of recent cyber espionage attacks carried out by Alloy Taurus.

PingPull is a remote access trojan that uses the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications. It was initially identified by Unit 42 in June 2022. The malware’s Linux variant boasts features comparable to its Windows variant, enabling it to operate on files and execute arbitrary instructions by sending a single upper-case character between A and K and M from the C2 server.

“Upon execution, this sample is configured to communicate with the domain yrhsywu2009.zapto[.]org over port 8443 for C2,” said Unit 42. “It uses a statically linked OpenSSL (OpenSSL 0.9.8e) library to interact with the domain over HTTPS.”

PingPull’s analysis of the C2 instructions is very similar to those of the China Chopper, a popular web shell among Chinese threat actors, indicating that the threat actor is using pre-existing source code to create bespoke tools. Another ELF artifact (Sword2033) that supports three fundamental tasks, including uploading and exfiltrating data and running commands, has also been discovered when the site mentioned above was examined more closely.

Because the domain responded to an IP address previously recognized as an active indication of compromise (IoC) connected with a previous campaign targeting businesses operating in Southeast Asia, Europe, and Africa, the malware has connections to Alloy Taurus. The cybersecurity firm said South Africa was targeted after participating in a joint 10-day naval exercise with Russia and China earlier this year.

According to Unit 42, Alloy Taurus continues to pose a severe danger to businesses engaged in banking, telecommunications, and government across Southeast Asia, Europe, and Africa. In addition to the current deployment of the Sword2033 backdoor, the discovery of a Linux edition of the PingPull malware indicates that the gang is continuing to develop its operations to assist its espionage efforts.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.