Palo Alto’s Unit42 recently reported on PingPull, a RAT used by the Gallium threat actor group to target entities in the telecommunications, government, and financial verticals.
- PingPull is a RAT used by the Gallium threat actor group.
- Recent targets have included entities in the telecommunications, government, and financial verticals.
- PingPull has three variants, each leveraging either ICMP, HTTPS, or TCP for C2 communications.
PingPull is a newly identified, hard to detect RAT used by the Gallium threat actor group. It is written in C++ and allows threat actors to run commands and access a reverse shell on victim machines.
PingPull installs itself, masquerading as a legitimate service by using the description for the legitimate iphlpsvc service. PingPull uses Iph1psvc as its service name and IP He1per instead of IP Helper as its display name. Some PingPull samples use Onedrive as the service name.
The malware has multiple variants, each leveraging one of three protocols - ICMP, HTTP(S) or raw TCP - for C2. Each variant creates a custom string to send to the C2 in all interactions. Unit42 researchers believe the C2 server uses this information to identify the compromised system. The string uses the following format:
PROJECT_[uppercase executable name]_[uppercase computer name]_[uppercase hexadecimal IP address]
The first PingPull variant uses ICMP tunneling to make C2 communications more difficult to detect. PingPull sends ICMP Echo Request (ping) packets to the C2 server, which replies to the Echo requests with an Echo Reply packet to issue commands to the system.
A second PingPull variant uses HTTPS requests for C2 communication. The initial beacon uses a POST request over an HTTPS channel, with a URL crafted using a unique identifier string generated by PingPull.
The third PingPull variant uses raw TCP for C2 communication. While this version also uses a unique identifier string generated by the malware, the TCP C2 channel begins with a 4-byte value for the length of data that follows.
PingPull provides threat actors with multiple capabilities including enumerating storage volumes, listing folder contents, reading/writing/deleting files, converting to hexadecimal, moving and copying files, creating directories, and timestamping files. PingPull also allows the threat actors to run commands on cmd.exe, giving the threat actor a reverse shell.
Who is Gallium?
Gallium, also known as Operation Soft Cell, is a Chinese nexus threat actor group that is thought to be state-sponsored due to TTP overlap with other Chinese state-sponsored threat actor groups. Their past targets have included telecommunications companies, primarily in Southeast Asia, Europe, and Africa. The group recently expanded its targeting to include financial and government entities. More recent targets were located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Gallium TTPs include QuarkBandit, BlackMould, China Chopper, HTRAN, Mimikatz, PlugX, PoisonIvy, using stolen code signing certificates, and using Taiwan-based servers for infrastructure.
PolySwarm has multiple samples of PingPull.
You can use the following CLI command to search for all PingPull samples in our portal:
$ polyswarm link list -f PingPull
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at firstname.lastname@example.org | Check out our blog | Subscribe to our reports