Attackers extend attack targets with PingPull tool

Check Point nennt Top Malware für Mai 2021 – Dridex fliegt aus den Top 3

New findings from Unit 42 Research: Extended attack targets in the areas of telecommunications, public authorities and finance

Unit 42 has recently identified a new, hard-to-detect remote access Trojan called PingPull, which is deployed by GALLIUM, an Advanced Persistent Threat (APT) group

Unit 42 actively monitors the infrastructure of several APT groups. One of these groups, GALLIUM (also known as Operation Soft Cell), has made a name for itself by targeting telecommunications companies in Southeast Asia, Europe and Africa. The geographical orientation, industry focus and their technical capabilities combined with the use of well-known Chinese malware, as well as tactics, techniques, and procedures ( TTPs) have led to the assessment that it is probably a group sponsored by the Chinese state.

Over the past year, this group has extended its attacks not only to telecommunications companies, but also to financial institutions and government entities. During this period, Unit 42 researchers have identified several links between GALLIUM infrastructure and targets in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam. But most importantly, they noticed that the group is using a new remote access trojan called PingPull.

PingPull is able to use three protocols – ICMP, HTTP(S) and Raw TCP – for the command and control function (C2). While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it difficult to discover its C2 communications, as few companies implement a check of ICMP traffic on their networks.
The current blog of Unit 42 offers a detailed breakdown of this new tool as well as the GALLIUM Group’s latest infrastructure.

Palo Alto Networks customers receive protection from the threats described by Threat Prevention, Advanced URL Filtering, DNS Security, Cortex XDR and WildFire for malware analysis.

GALLIUM remains an active threat to telecommunications and financial companies, as well as government organizations in Southeast Asia, Europe and Africa. Over the past year, the researchers have detected targeted attacks on nine countries. This group has recently deployed a new ability called PingPull to support their spying activities. Unit 42 recommends using the available findings to take protective measures to ward off this threat group.

Special thanks to the NSA Cybersecurity Collaboration Center, the Australian Cyber Security Centre and other government partners for the cooperation and insights they have provided in support of this investigation.

Palo Alto Networks shared these findings, including file patterns and indicators of a compromise, with the other members of the Cyber Threat Alliance. CTA members use these insights to quickly provide their customers with protective measures and systematically disrupt attackers.

NFT Outsourcing Blockchain | Unreal Engine Development

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: