According to Palo Alto Networks researchers, the PingPull RAT is a "difficult-to-detect" backdoor that uses the Internet Control Message Protocol (ICMP) for C2 connections. Experts also discovered PingPull variations that communicate with each other using HTTPS and TCP rather than ICMP.
Gallium, a Chinese advanced Trojan horse (APT), has an ancient legacy of cyberespionage on telecommunications companies, dating back to 2012. In 2017, the state-sponsored entity, also called Soft Cell by Cybereason, has been linked to a broader range of attacks aimed at five major Southeast Asian telecom businesses. However, during the last year, the group's victimology has expanded to include financial institutions and government agencies in Afghanistan, Austria, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.
A threat actor can use PingPull, a Visual C++-based virus, to gain access to a reverse shell and run unauthorized commands on a compromised computer. File operations, detailing storage volumes, and timestamping files are all part of it now.
The researchers explained that "PingPull samples which use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server." "The C2 server will send commands to the system by responding to these Echo queries with an Echo-Reply packet."
PingPull variants that use HTTPS and TCP rather than ICMP to interact with its C2 server have been discovered, along with over 170 IP addresses associated with the company since late 2020. Although the threat actor is recognized to exploit internet-exposed programs to acquire an initial foothold and deploy a customized form of the China Chopper web shell to create persistence, it's not obvious how the targeted networks are hacked.
Throughout Southeast Asia, Europe, and Africa, the GALLIUM trojan continues to pose a serious danger to telecommunications, finance, and government organizations. It is recommended all businesses use the results of researchers to inform the implementation of protective measures to guard against this threat group, which has deployed a new capability called PingPull in favor of its espionage efforts.