The identification of a Linux variant of PingPull malware, as well as the recent use of the Sword2033 backdoor, shows Alloy Taurus continues to evolve its operations in support of its espionage activities. Credit: Linux/Thinkstock Chinese state-sponsored threat actor Alloy Taurus has introduced a new variant of PingPull malware, designed to target Linux systems, Palo Alto Networks said in its research. Along with the new variant, another backdoor called Sword2033 was also identified by the researchers.Alloy Taurus, a Chinese APT, has been active since 2012. The group conducts cyberespionage campaigns across Asia, Europe, and Africa. The group is known to target telecommunication companies but in recent years has also been observed targeting financial and government institutions.The first samples of the PingPull malware date back to September 2021. Researchers at Palo Alto Networks, in June 2022, outlined the functionality of the tool and attributed it to Alloy Taurus. PingPull is a remote access trojan that uses the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications. “The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities,” Palo Alto Networks said in its research. The new Linux variant of PingPull was identified in March. Currently, three out of 62 vendors found the sample to be malicious.Linux variant of PingPullThe Linux variant of PingPull was identified based on matching HTTP communication structure, POST parameters, AES key, and C2 commands. It uses a statically linked OpenSSL (OpenSSL 0.9.8e) library to interact with the C2 domain over HTTPS, Palo Alto Networks said in its research. “The payload then expects the C2 server to respond with data that is Base64 encoded ciphertext, encrypted with AES using P29456789A1234sS as the key. This is the same key that we previously observed in the original Windows PE variant of PingPull,” the research report said.The new Linux variant is similar to the earlier Windows version in its functionalities. It allows the attackers to list, read, write, copy, rename, and delete files, as well as run commands.PingPull also shares some functions, HTTP parameters, and command handlers with the China Chopper web shell, which the researchers said indicates, “Alloy Taurus is using code they might be familiar with, and they are integrating it into the development of custom tooling,” the report said. Another backdoor Sword2033 was also identified by the researchers. The communication process with the C2 of Sword2033 is the same as the PingPull Linux variant. This backdoor performs three functions uploads a file to the system, downloads a file from the system, and executes a command.Connection to South Africa and NepalWhile IP addresses of the C2 domains do not show any connection with the South African government, researchers said the domain name gives the impression of a connection to the South African military.“The establishment of a C2 server that appears to impersonate the South African military is uniquely notable when analyzed in the context of recent events. In February 2023, South Africa joined Russia and China to participate in combined naval exercises,” Palo Alto said in its research. Analyzing the traffic to the Sword2033 C2 server, researchers identified sustained connections originating from an IP that hosts several subdomains for an organization that finances long-term urban infrastructure development projects in Nepal.“Alloy Taurus remains an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa,” the research report said. To protect themselves, organizations need to focus on improving their network security, endpoint security, and security automation, Palo Alto Networks added. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe