Gallium, a Chinese advanced persistent threat (APT), has been seen deploying a previously unknown remote access trojan in espionage attacks against firms in Southeast Asia, Europe, and Africa. According to a recent study published by Palo Alto Networks Unit 42, the “difficult-to-detect” backdoor known as PingPull is unique for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications.
Gallium has a long history of cyberattacks against telecom providers, dating back to 2012. Since 2017, the state-sponsored actor, also known as Soft Cell by Cybereason, has been linked to a larger range of attacks targeting five major telecom corporations in Southeast Asian countries. However, the group’s victimology footprint has grown over the last year to include financial institutions and government bodies in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.
A threat actor can use PingPull, a Visual C++-based malware, to access a reverse shell and perform arbitrary commands on a compromised computer. File operations, timestomping files, and enumerating storage volumes are all part of this.
“PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server,” detailed the researchers. “The C2 server will reply to these Echo requests with an Echo Reply packet to issue commands to the system.”
PingPull versions that use HTTPS and TCP instead of ICMP to interact with their C2 server have also been discovered, and more than 170 IP addresses have been affiliated with the organization since late 2020. Although the threat actor is known to attack internet-exposed programs to acquire an initial foothold and deploy a customized form of the China Chopper web shell to create persistence, it’s not obvious how the targeted networks are hacked.
According to the researchers, Gallium is still a threat to telecommunications, financial, and government institutions in Southeast Asia, Africa, and Europe. “While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks.”