Gallium APT group uses PingPull malware to target telecommunications, finance, government organizations

New research from Palo Alto Networks’ Unit 42 team identified a new, difficult-to-detect remote access trojan named PingPull being used by Gallium APT (advanced persistent threat) group. Data disclosed that Gallium remains an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa.

“The group’s geographic targeting, sector-specific focus, and technical proficiency, combined with their use of known Chinese threat actor malware and tactics, techniques and procedures (TTPs), have resulted in industry assessments that Gallium is likely a Chinese state-sponsored group,” Unit 42 researchers wrote in a blog post on Monday. Unit 42 actively monitors infrastructure associated with several APT groups. 

According to the MITRE ATT&CK profile, Gallium is a group that has been active since at least 2012, primarily targeting high-profile telecommunications networks. The hackers have been identified in some reporting as likely a Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors, it added.

PingPull has the capability to leverage three protocols (ICMP, HTTP(S) and raw TCP) for command and control (C2), Unit 42 said. “While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organizations implement inspection of ICMP traffic on their networks,” it added.

“Over the past year, this group has extended its targeting beyond telecommunication companies to also include financial institutions and government entities,” according to the post. “During this period, we have identified several connections between GALLIUM infrastructure and targeted entities across Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam. Most importantly, we have also identified the group’s use of a new remote access trojan named PingPull,” it added.

Unit 42 said that PingPull was written in Visual C++ and provides hackers the ability to run commands and access a reverse shell on a compromised host. “There are three variants of PingPull that are all functionally the same but use different protocols for communications with their C2: ICMP, HTTP(S) and raw TCP,” it added. 

In each of the variants, PingPull will create a custom string that it “will send to the C2 in all interactions, which we believe the C2 server will use to uniquely identify the compromised system,” Unit 42 said. Regardless of the variant, PingPull is capable of installing itself as a service, and the three variants of PingPull have the same commands available within their command handlers, it added.

Unit 42 advises telecommunications, finance, and government organizations located across Southeast Asia, Europe, and Africa to leverage the indicators of compromise (IoCs) to identify any impacts on the organizations.

The cybersecurity threats from the Chinese hacker groups have been ongoing. Last month, SentinelLabs researchers reported that they are tracking the activity of a Chinese-aligned cyberespionage hacker group operating in Central Asia, dubbed ‘Moshen Dragon,’ targeting the telecommunication sector.

U.S. cybersecurity agencies also released last week a cybersecurity advisory outlining the ways in which Chinese state-sponsored hackers continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. The guidance identified that the state-sponsored hackers frequently utilize open-source tools for reconnaissance and vulnerability scanning, and use the network to exploit various targets worldwide, including public and private sector organizations. The notice details the targeting and compromise of major telecommunications companies and network service providers.

Rising instances of APT hacking pushed U.S. security agencies and the Department of Energy (DOE) to issue an advisory in April, warning of specific APT hackers have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.