A Chinese-speaking advanced persistent threat group called Gallium has been discovered utilising a newfound remote access trojan, PingPull malware, for its cyber-espionage campaigns. The group is known for attacking different industries in Europe, Africa, and Southeast Asia (SEA).
The PingPull malware is a very challenging backdoor for researchers to detect since it uses the Internet Control Message Protocol (ICMP) for its C2 communications.
Based on reports, the Gallium APT group has been notorious for attacking telecom companies for about a decade. Researchers also attributed them to a broader set of attacks that targeted five of the biggest telecom companies in SEA.
However, there were rumours that the group had expanded its attack scope and added several targets to its campaigns. Aside from telecom firms, they also target government entities and financial institutions based in the Philippines, Vietnam, Malaysia, Cambodia, Russia, Mozambique, Afghanistan, and Australia.
Gallium’s PingPull malware features several sophisticated capabilities.
The malware is based on C++, which provides a threat actor with the ability to access a reverse shell and operate arbitrary commands on an infected device. This feature includes file operations, timestomping files, and enumerating storage volumes.
The researchers also indicated that the first PingPull malware sample used an ICMP for its command-and-control communications. The malware will then issue an ICMP Echo Request packets to the command-and-control server. Subsequently, the C2 server will respond to these requests with an Echo-Reply packet to disseminate commands to the system.
PingPull variants also depend on TCP and HTTPS to communicate with its communication server instead of using the ICMP.
Some cybersecurity experts stated that, for now, it is still not clear how targeted networks get infiltrated by the Gallium group. However, the threat actor is known to abuse internet-exposed applications to acquire initial access. The group also uses modified versions of the China Chopper web shell to establish persistence in its infected targets.
Finally, the researchers clarified that using ICMP tunnelling is not a new tactic. However, it is still hard to detect if PingPull malware uses it for its communications since only a handful of governments have implemented an inspection team for ICMP traffic.
