New insights from Unit 42 Research: A new, hard-to-detect remote access Trojan called PingPull was recently identified as being used by GALLIUM, an APT (Advanced Persistent Threat) group. It targets telecommunications, government and finance.
Unit 42 actively monitors the infrastructure of several APT groups. One of these groups, GALLIUM (aka Operation Soft Cell), has made a name for itself by targeting telecom companies in Southeast Asia, Europe and Africa. Geographical focus, industry focus, and their technical prowess combined with the use of known Chinese malware and Techniques, Tactics, and Procedures (TTPs) led to the assessment that it was likely a Chinese state-sponsored one group acts.
GALLIUM: Attack Focus expanded
Over the past year, this group has expanded its attacks not only to telecom companies, but also to financial and government institutions. During this period, Unit 42 researchers have identified multiple links between the GALLIUM infrastructure and targets in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam. Most importantly, they found that the group was using a new remote access trojan called PingPull.
Remote access Trojan PingPull
PingPull is able to use three protocols - ICMP, HTTP(S) and Raw TCP - for the command and control function (C2). While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make its C2 communications more difficult to discover, as few organizations implement ICMP traffic inspection on their networks. Unit 42's latest blog provides a detailed breakdown of this new tool as well as the latest infrastructure from the GALLIUM Group.
Palo Alto Networks customers receive protection against the described threats through Threat Prevention, Advanced URL Filtering, DNS Security, Cortex XDR and WildFire for malware analysis. GALLIUM remains an active threat to telecom, financial and government organizations in Southeast Asia, Europe and Africa. Over the past year, researchers have identified targeted attacks on nine countries. This group has recently used a new ability called PingPull to aid in their espionage activities. Unit 42 recommends using the available evidence to take protective measures to counter this threat group.
More at PaloAltoNetworks.com
About Palo Alto Networks Palo Alto Networks, the global leader in cybersecurity solutions, is shaping the cloud-based future with technologies that transform the way people and businesses work. Our mission is to be the preferred cybersecurity partner and protect our digital way of life. We help you address the world's biggest security challenges with continuous innovation leveraging the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are the leaders in protecting tens of thousands of businesses across clouds, networks and mobile devices. Our vision is a world where every day is safer than the one before.