Executive Summary
Palo Alto’s Unit42 recently reported on PingPull, a RAT used by the Gallium threat actor group to target entities in the telecommunications, government, and financial verticals.
Key Takeaways
- PingPull is a RAT used by the Gallium threat actor group.
- Recent targets have included entities in the telecommunications, government, and financial verticals.
- PingPull has three variants, each leveraging either ICMP, HTTPS, or TCP for C2 communications.
PingPull is a newly identified, hard to detect RAT used by the Gallium threat actor group. It is written in C++ and allows threat actors to run commands and access a reverse shell on victim machines.
PingPull installs itself, masquerading as a legitimate service by using the description for the legitimate iphlpsvc service. PingPull uses Iph1psvc as its service name and IP He1per instead of IP Helper as its display name. Some PingPull samples use Onedrive as the service name.
The malware has multiple variants, each leveraging one of three protocols - ICMP, HTTP(S) or raw TCP - for C2. Each variant creates a custom string to send to the C2 in all interactions. Unit42 researchers believe the C2 server uses this information to identify the compromised system. The string uses the following format:
PROJECT_[uppercase executable name]_[uppercase computer name]_[uppercase hexadecimal IP address]
ICMP Variant
The first PingPull variant uses ICMP tunneling to make C2 communications more difficult to detect. PingPull sends ICMP Echo Request (ping) packets to the C2 server, which replies to the Echo requests with an Echo Reply packet to issue commands to the system.
HTTPS Variant
A second PingPull variant uses HTTPS requests for C2 communication. The initial beacon uses a POST request over an HTTPS channel, with a URL crafted using a unique identifier string generated by PingPull.
TCP Variant
The third PingPull variant uses raw TCP for C2 communication. While this version also uses a unique identifier string generated by the malware, the TCP C2 channel begins with a 4-byte value for the length of data that follows.
PingPull provides threat actors with multiple capabilities including enumerating storage volumes, listing folder contents, reading/writing/deleting files, converting to hexadecimal, moving and copying files, creating directories, and timestamping files. PingPull also allows the threat actors to run commands on cmd.exe, giving the threat actor a reverse shell.
Who is Gallium?
Gallium, also known as Operation Soft Cell, is a Chinese nexus threat actor group that is thought to be state-sponsored due to TTP overlap with other Chinese state-sponsored threat actor groups. Their past targets have included telecommunications companies, primarily in Southeast Asia, Europe, and Africa. The group recently expanded its targeting to include financial and government entities. More recent targets were located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Gallium TTPs include QuarkBandit, BlackMould, China Chopper, HTRAN, Mimikatz, PlugX, PoisonIvy, using stolen code signing certificates, and using Taiwan-based servers for infrastructure.
IOCs
PolySwarm has multiple samples of PingPull.
De14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761
B4aabfb8f0327370ce80970c357b84782eaf0aabfc70f5e7340746f25252d541
Fc2147ddd8613f08dd833b6966891de9e5309587a61e4b35408d56f43e72697e
F86ebeb6b3c7f12ae98fe278df707d9ebdc17b19be0c773309f9af599243d0a3
8b664300fff1238d6c741ac17294d714098c5653c3ef992907fc498655ff7c20
You can use the following CLI command to search for all PingPull samples in our portal:
$ polyswarm link list -f PingPull
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
