Security News > 2023 > April > Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks
The Chinese nation-state group dubbed Alloy Taurus is using a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033.
Alloy Taurus is the constellation-themed moniker assigned to a threat actor that's known for its attacks targeting telecom companies since at least 2012.
Interestingly, PingPull's parsing of the C2 instructions mirrors that of the China Chopper, a web shell widely used by Chinese threat actors, suggesting that the threat actor is repurposing existing source code to devise custom tools.
The malware's links to Alloy Taurus stems from the fact that the domain resolved to an IP address that was previously identified as an active indicator of compromise associated with a prior campaign targeting companies operating in Southeast Asia, Europe, and Africa.
"Alloy Taurus remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa," Unit 42 said.
"The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities."
News URL
https://thehackernews.com/2023/04/chinese-hackers-using-pingpull-linux.html
Related news
- Chinese hackers target Linux with new WolfsBane malware (source)
- MoneyGram confirms hackers stole customer data in cyberattack (source)
- Chinese Nation-State Hackers APT41 Hit Gambling Sector for Financial Gain (source)
- US says Chinese hackers breached multiple telecom providers (source)
- Chinese Hackers Use CloudScout Toolset to Steal Session Cookies from Cloud Services (source)
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- Sophos reveals 5-year battle with Chinese hackers attacking network devices (source)
- Sophos Versus the Chinese Hackers (source)
- FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)