Chinese hackers launch Linux variant of PingPull malware

Chinese state-sponsored threat actor Alloy Taurus has introduced a new variant of PingPull malware, designed to target Linux systems, Palo Alto Networks said in its research. Along with the new variant, another backdoor called Sword2033 was also identified by the researchers.

Alloy Taurus, a Chinese APT, has been active since 2012. The group conducts cyberespionage campaigns across Asia, Europe, and Africa. The group is known to target telecommunication companies but in recent years has also been observed targeting financial and government institutions.

The first samples of the PingPull malware date back to September 2021. Researchers at Palo Alto Networks, in June 2022, outlined the functionality of the tool and attributed it to Alloy Taurus. PingPull is a remote access trojan that uses the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications.

“The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities,” Palo Alto Networks said in its research.

The new Linux variant of PingPull was identified in March. Currently, three out of 62 vendors found the sample to be malicious.

Linux variant of PingPull

The Linux variant of PingPull was identified based on matching HTTP communication structure, POST parameters, AES key, and C2 commands. It uses a statically linked OpenSSL (OpenSSL 0.9.8e) library to interact with the C2 domain over HTTPS, Palo Alto Networks said in its research.

“The payload then expects the C2 server to respond with data that is Base64 encoded ciphertext, encrypted with AES using P29456789A1234sS as the key. This is the same key that we previously observed in the original Windows PE variant of PingPull,” the research report said.

The new Linux variant is similar to the earlier Windows version in its functionalities. It allows the attackers to list, read, write, copy, rename, and delete files, as well as run commands.

PingPull also shares some functions, HTTP parameters, and command handlers with the China Chopper web shell, which the researchers said indicates, “Alloy Taurus is using code they might be familiar with, and they are integrating it into the development of custom tooling,” the report said.

Another backdoor Sword2033 was also identified by the researchers. The communication process with the C2 of Sword2033 is the same as the PingPull Linux variant. This backdoor performs three functions uploads a file to the system, downloads a file from the system, and executes a command.

Connection to South Africa and Nepal

While IP addresses of the C2 domains do not show any connection with the South African government, researchers said the domain name gives the impression of a connection to the South African military.

“The establishment of a C2 server that appears to impersonate the South African military is uniquely notable when analyzed in the context of recent events. In February 2023, South Africa joined Russia and China to participate in combined naval exercises,” Palo Alto said in its research.

Analyzing the traffic to the Sword2033 C2 server, researchers identified sustained connections originating from an IP that hosts several subdomains for an organization that finances long-term urban infrastructure development projects in Nepal.

“Alloy Taurus remains an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa,” the research report said. To protect themselves, organizations need to focus on improving their network security, endpoint security, and security automation, Palo Alto Networks added.