Insights, news, education and announcements from PolySwarm

PingPull Linux Variant

Written by The Hivemind | May 8, 2023 7:05:38 PM

Related Families: Sword2033

Executive Summary

China nexus threat actor group Gallium was recently observed using a new Linux variant of PingPull in an espionage campaign.

Key Takeaways

  • Gallium was recently observed using a new Linux variant of PingPull.
  • The sample was identified as PingPull due to its similarities to the Windows variant.
  • Gallium is also using Sword2033 backdoor.
  • The threat actors appear to be expanding their operational capabilities in 2023.

What is the PingPull Linux Variant?

Researchers from Palo Alto’s Unit 42 recently reported on a new Linux variant of PingPull. PingPull is a RAT used by the China nexus threat actor group Gallium. The original PingPull variant targeting Windows was first noted in September 2021. PingPull is a RAT that uses ICMP for C2. The Linux variant uses OpenSSL to interact with the C2 over HTTPS.

The Linux variant of PingPull was identified as a PingPull variant due to matching HTTP communication structure, POST parameters, and the AES key and C2 commands used. PingPull for Linux gives the threat actors the ability to list, read, write, copy, rename, and delete files. It also gives them the ability to run commands.

Unit 42 researchers noted several of the HTTP parameters used in the PingPull Linux variant align with commands used in the China Chopper webshell.

What is Sword2033?

Unit 42 researchers also included details on Sword2033, another tool in Gallium’s arsenal. Sword2033 is a backdoor that connects over port 8443 over HTTPS. Sword2033 allows threat actors to upload and download files from the victim machine and execute commands. Sword2033 also targets Linux systems.

Who is Gallium?

Gallium, also known as Alloy Taurus and Operation Soft Cell, is a China nexus threat actor group known to target telecommunications, financial, and government entities. The group has been active since at least 2012, and their primary objective is espionage. Gallium’s TTPs overlap with several other China nexus threat actor groups. TTPs include using actor-controlled servers based in Taiwan, PoisonIvy RAT, HTRAN, China Chopper, BlackMould, PlugX, PingPull, and Sword2033. Unit 42 researchers noted the new PingPull variant and Sword2033 seem to indicate Gallium is expanding its operational capabilities.

IOCs

PolySwarm has a sample of the PingPull Linux variant.

 

cb0922d8b130504bf9a3078743294791201789c5a3d7bc0369afd096ea15f0ae

 

You can use the following CLI command to search for all PingPull samples in our portal:

$ polyswarm link list -f PingPull

 

PolySwarm has multiple samples of Sword2033.

 

5ba043c074818fdd06ae1d3939ddfe7d3d35bab5d53445bc1f2f689859a87507

e39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253

 

You can use the following CLI command to search for all xx samples in our portal:

$ polyswarm link list -f Sword2033

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports