CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Chinese Hackers Spotted Using Linux Variant of PingPull in Targeted Cyberattacks

admin by admin
April 27, 2023
in Information Security


Apr 26, 2023Ravie LakshmananLinux / Cyber Threat

The Chinese nation-state group dubbed Alloy Taurus is using a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033.

That’s according to findings from Palo Alto Networks Unit 42, which discovered recent malicious cyber activity carried out by the group targeting South Africa and Nepal.

Alloy Taurus is the constellation-themed moniker assigned to a threat actor that’s known for its attacks targeting telecom companies since at least 2012. It’s also tracked by Microsoft as Granite Typhoon (previously Gallium).

Last month, the adversary was attributed to a campaign called Tainted Love targeting telecommunication providers in the Middle East as part of a broader operation referred to as Soft Cell.

Recent cyber espionage attacks mounted by Alloy Taurus have also broadened their victimology footprint to include financial institutions and government entities.

PingPull, first documented by Unit 42 in June 2022, is a remote access trojan that employs the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications.

The Linux flavor of the malware boasts of similar functionalities as its Windows counterpart, allowing it to carry out file operations and run arbitrary commands by transmitting from the C2 server a single upper case character between A and K, and M.

“Upon execution, this sample is configured to communicate with the domain yrhsywu2009.zapto[.]org over port 8443 for C2,” Unit 42 said. “It uses a statically linked OpenSSL (OpenSSL 0.9.8e) library to interact with the domain over HTTPS.”

PingPull Linux

Interestingly, PingPull’s parsing of the C2 instructions mirrors that of the China Chopper, a web shell widely used by Chinese threat actors, suggesting that the threat actor is repurposing existing source code to devise custom tools.

A closer examination of the aforementioned domain has also revealed the existence of another ELF artifact (i.e., Sword2033) that supports three basic functions, including uploading and exfiltrating files and executing commands.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

The malware’s links to Alloy Taurus stems from the fact that the domain resolved to an IP address that was previously identified as an active indicator of compromise (IoC) associated with a prior campaign targeting companies operating in Southeast Asia, Europe, and Africa.

The targeting of South Africa, per the cybersecurity company, comes against the backdrop of the country holding a joint 10-day naval drill with Russia and China earlier this year.

“Alloy Taurus remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa,” Unit 42 said.

“The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

SMB cyber safety: De-risking catastrophic events

Next Post

Innatefairness ~ Future of CIO

Related Posts

Information Security

New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force

by admin
May 30, 2023
Information Security

Advice to SMB CEOs from a former CIO

by admin
May 30, 2023
Information Security

Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

by admin
May 29, 2023
Information Security

New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets

by admin
May 28, 2023
Information Security

Severe Flaw in Google Cloud’s Cloud SQL Service Exposed Confidential Data

by admin
May 27, 2023
Next Post

Innatefairness ~ Future of CIO

Recommended

Illustratereinvention ~ Future of CIO

May 30, 2023

New BrutePrint Attack Lets Attackers Unlock Smartphones with Fingerprint Brute-Force

May 30, 2023

Advice to SMB CEOs from a former CIO

May 30, 2023

Innovation & Information ~ Future of CIO

May 29, 2023

Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

May 29, 2023

Innovativegrowth ~ Future of CIO

May 28, 2023

© CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.