A Chinese Advanced Persistent Threat (APT), known as Gallium, has been observed using a previously undocumented remote access trojan in its spying attacks targeting companies operating in Southeast Asia, Europe and Africa.
called PingPullthe “hard to detect” backdoor stands out for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications, according to new research published today by Palo Alto Networks Unit 42.
Gallium is notorious for its attacks primarily targeting telecom companies dating back as far as 2012. Also followed under the name soft cell by Cybereason, the state-sponsored actor has been linked to a broader series of attacks targeting five major telecom companies in Southeast Asian countries since 2017.
In the past year, however, the group is said to have expanded its victimization footprint to include financial institutions and government agencies in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam.
PingPull, a Visual C++-based malware, allows a threat actor to access a reverse shell and execute arbitrary commands on a compromised host. This includes performing file operations, enumerating storage volumes, and timestamp files.
“PingPull samples that use ICMP for C2 communication deliver ICMP Echo Request (ping) packets to the C2 server,” the researchers describe. “The C2 server answers these Echo requests with an Echo Reply package to issue commands to the system.”
Also identified are PingPull variants that rely on HTTPS and TCP to communicate with its C2 server instead of ICMP and more than 170 IP addresses associated with the group since late 2020.
It is not immediately clear how the targeted networks are being breached, although the threat actor is known exploit internet-exposed applications to get a first foothold and a modified version of the Chinese helicopter webshell to establish persistence.
“Gallium remains an active threat to telecommunications, financial and government organizations in Southeast Asia, Europe and Africa,” the researchers noted.
“While using ICMP tunneling is not a new technique, PingPull is using ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks.”