Chinese Hackers Use New Linux Malware Variants for Espionage

Cyber Security Threat Summary:
Fresh Linux malware variations are being utilized by hackers in cyber espionage attacks, including a novel PingPull version and an undocumented backdoor known as Sword2033. Last year, PingPull was initially observed as a RAT ( remote access trojan) in espionage operations by the Chinese state-sponsored group, Gallium or Alloy Taurus, targeting government and financial institutions in Australia, Russia, Belgium, Malaysia, Vietnam and the Philippines. Unit 42 has been monitoring these espionage campaigns and recently disclosed that the Chinese threat actor has been using new malware versions to target South Africa and Nepal.

Currently, only three out of 62 anti-virus vendors can identify the Linux version of PingPull, which is an ELF file that is malicious. Unit 42 discovered that it is a port of the well-known Windows malware by identiifying the resemblances in its HTTP communication structure, POST parameters, AES key, an dthe commands it obtains from the threat actor's C2 server.

“The commands the C2 sends to the malware are indicated by a single uppercase character in the HTTP parameter, and the payload returns the results to the server via a base64-encoded request.

The parameters and corresponding commands are:

  • A – Get the current directory
  • B – List folder
  • C – Read text file
  • D – Write a text file
  • E – Delete file or folder
  • F – Read binary file, convert to hex
  • G – Write binary file, convert to hex
  • H – Copy file or folder
  • I – Rename a file
  • J – Create a Directory
  • K – Timestamp file with a specified timestamp in "%04d-%d-%d %d:%d:%d" format
  • M – Run command

    Unit 42 comments that the command handlers used in PingPull match those observed in another malware named 'China Chopper,' a web shell seen heavily used in attacks against Microsoft Exchange servers”.

    Security Officer Comments:
    In addition to the Linux variant PingPull, Unit 42 uncovered a new ELF backdoor that communicated with the same C2 server as PingPull. This backdoor is a simple tool that includes more basic functions such as uploading and exfiltrating files and executing a command with ":; echo \n" appended to it. The echo command helps obscure its activity or make analysis more challenging. Unit 42 discovered a second Sword 2023 sample connected to a different C2 address which impersonated the South African military. This sample was also linked to a Soft Ether VPN address, a product that Gallium is known to use in its operations. The cybersecurity firm noted that this was likely not a random choice, as South Africa engaged in joint military exercises with Russia and China in February 2023.

    In conclusion, Gallium continues to refine its arsenal and expand its target range using new Linux variants of PingPull and the recently discovered Sword2023 backdoor. Organizations must adopt a comprehensive security strategy that goes beyond static detection methods to effectively counter this sophisticated threat.

    Corrections or Suggestions:
    Unit 42 has published IOC’s that can be used to detect the PingPull malware variant:

    https://unit42.paloaltonetworks.com/alloy-taurus/

    Source: https://www.bleepingcomputer.com

    Contact Us for Threat Assistance Back to Current Threats

    • Just Starting?



    Contact LACyber for More Info



    Current Active Cyber Threats