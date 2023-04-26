Unit 42 researchers recently identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems.

The team also identified a new backdoor named Sword2033 which is linked to the same command and control infrastructure.

The infrastructure was leveraged by a Chinese threat actor named Alloy Taurus, known for their cyberespionage campaigns.

Cyberespionage campaigns

Alloy Taurus has been operational since at least 2012, and it is known to be an advanced persistent threat group that focuses on cyberespionage campaigns. The group targeted multiple telecommunications companies operating across Asia, Europe, and Africa in the past and recently started targeting financial institutions and government entities. PingPull malware was initially discovered in September of 2021, and a detailed report about the malware was published in 2022.

The new variant was discovered when it was uploaded to VirusTotal and the additional analysis showed that this sample is a Linux variant of PingPull malware. The determination was based on matching HTTP communication structure, POST parameters, AES key, and C2 commands. It is configured to communicate with C2 over port 8443 and uses a statically linked OpenSSL library to interact with the domain over HTTPS.

The payload then expects the C2 server to respond with data that is Base64 encoded ciphertext, encrypted with AES using P29456789A1234sS as the key. The same key was observed in the original Windows PE variant of PingPull. In order to defend against the threats described, Palo Alto Networks recommends organizations employ the following capabilities:

Network Security: Delivered through a Next-Generation Firewall (NGFW) configured with machine learning enabled, and best-in-class, cloud-delivered security services. This includes, for example, threat prevention, URL filtering, DNS security and a malware prevention engine capable of identifying and blocking malicious samples and infrastructure.

Endpoint Security: Delivered through an XDR solution that is capable of identifying malicious code through the use of advanced machine learning and behavioral analytics. This solution should be configured to act on and block threats in real time as they are identified.

Security Automation: Delivered through an XSOAR or XSIAM solution capable of providing SOC analysts with a comprehensive understanding of the threat derived by stitching together data obtained from endpoints, network, cloud and identity systems.