The Gallium state-sponsored hacking group has been spotted using a new ‘PingPull’ remote access trojan against financial institutions and government entities in Europe, Southeast Asia, and Africa.
These entities are based in Australia, Russia, Philippines, Belgium, Vietnam, Malaysia, Cambodia, and Afghanistan.
Gallium is believed to originate from China, and its targeting scope of the telecommunications, finance, and government sectors in espionage operations aligns with the country’s interests.
In recent campaigns, Gallium is employing a new RAT (remote access trojan) named PingPull, which analysts at Unit42 (Palo Alto Networks) characterize as particularly stealthy.
Reverse shells on host
The PingPull malware is designed to give threat actors a reverse shell on the compromised machine, allowing them to execute commands remotely.
Unit42 could sample three distinct variants with similar functionality that use different C2 communication protocols, namely ICMP, HTTPS, and TCP.
The different C2 protocols might be to evade specific network detection methods/tools, with the actors deploying the suitable variant based on preliminary reconnaissance.
In all three cases, the malware installs itself as a service and has a description simulating a legitimate service, aiming to discourage users from terminating it.
The commands that all three variants support are the following:
Enumerate storage volumes (A: through Z:)
List folder contents
Read File
Write File
Delete File
Read file, convert to hexadecimal form
Write file, convert from hexadecimal form
Copy file, sets the creation, write, and access times to match original files
Move file, sets the creation, write, and access times to match original files
Create directory
Timestomp file
Run command via cmd.exe
The commands and their parameters are sent from the C2 in AES-encrypted form, which the beacon can decrypt thanks to a pair of hardcoded keys.
Gallium activities
The infrastructure that Unit 42 was able to uncover and link to Gallium operations includes over 170 IP addresses, some dating back to late 2020.
Microsoft had warned about the group in 2019, highlighting a targeting scope limited to telecommunication service providers at the time.
This snapshot of recent Gallium campaigns revealed a new RAT, which indicates that the hacking group is still an active and evolving threat.
Based on the most recent reports, Gallium has expanded that scope to include key government entities and financial institutions in Asia, Africa, Europe, and Australia.
For this reason, all vital organizations are advised to use the indicators of compromise provided in the Unit 42 report for timely threat detection.