Security News > 2022 > June > Chinese-sponsored gang Gallium upgrades to sneaky PingPull RAT

The Gallium group, believed to be a Chinese state-sponsored team, is going on the warpath with an upgraded remote access trojan that threat hunters say is difficult to detect.

The backdoor, once in a compromised system, comes in three variants, each of which can communicate with the command-and-control system in one of three protocols: ICMP, HTTPS and raw TCP. All three PingPull variants have the same functionality, but each creates a custom string of code that it sends to the C2 server, which will use the unique string to identify the compromised system.

"While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks," the Unit 42 researchers wrote in a blog post Monday.

Gallium has been attacking telcos since at least 2012, and its activities have sometimes been attributed to another Chinese gang named APT10.

The use of PingPull by Gallium is just as important an issue as its new targeting, they suggest.

In the ICMP variant, "PingPull samples that use ICMP for C2 communications issue ICMP Echo Request packets to the C2 server. The C2 server will reply to these Echo requests with an Echo Reply packet to issue commands to the system. Both the Echo Request and Echo Reply packets used by PingPull and its C2 server will have the same structure."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/06/14/gallium-pingpull-rat/