Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks

2022-06-14 03:16

A Chinese advanced persistent threat known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa.

Called PingPull, the "Difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol for command-and-control communications, according to new research published by Palo Alto Networks Unit 42 today.

Gallium is known for its attacks primarily aimed at telecom companies dating as far back as 2012.

PingPull, a Visual C++-based malware, provides a threat actor the ability to access a reverse shell and run arbitrary commands on a compromised host.

Also identified are PingPull variants that rely on HTTPS and TCP to communicate with its C2 server instead of ICMP and over 170 IP addresses associated with the group since late 2020.

"While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks."

News URL

https://thehackernews.com/2022/06/chinese-gallium-hackers-using-new.html

#attack #chinese #cyberespionage #hacker #malware

News URL

Related news