The Chinese hacker group called Alloy Taurus is using a Linux variant of a backdoor called PingPull, as well as a new undocumented tool called Sword2033.
This is what emerges from the discoveries of Palo Alto Networks Unit 42, which has singled out Group’s recent cybercrime activities targeting South Africa and Nepal.
Alloy Taurus, who they are and how they operate
Alloy Taurus is the name given to a malicious group known for its attacks against telecommunications companies since at least 2012. It is also followed by Microsoft as Granite Typhoon (formerly Gallium).
Last month, the group was attributed to a campaign called Tainted lovewhich has targeted telecom service providers in the Middle East, as part of a larger operation dubbed Soft Cell.
The recent cyber espionage attacks carried out by Alloy Taurus have also broadened their scope to include financial institutions and government entities.
PingPull, documented first released by Unit 42 in June 2022, it is a remote access Trojan that uses the Internet Control Message Protocol (ICMP) for command and control (C2) communications.
The Linux version of the malware, uploaded to VirusTotal on March 7, 2023, has similar functionality to its Windows counterpart, allowing you to perform file operations and execute arbitrary commands by transmitting from server C2 a single uppercase character between A and K, and m.
“At runtime, this sample is configured to communicate with the yrhsywu2009.zapto domain[.]org on port 8443 for C2,” Unit 42 said. “It uses a statically linked OpenSSL library (OpenSSL 0.9.8e) to interact with the domain via HTTPS.”
Interestingly, the mode of parsing instructions C2 of PingPull reproduces that of China Choppera web shell widely used by Chinese attackers, suggesting that the group is repurposing existing source code to create custom tools.
Closer examination of the domain mentioned above also revealed the existence of another ELF artifact (namely Sword2033) which supports three basic functions including uploading and exfiltrating files from the system and executing commands.
The malware’s ties to Alloy Taurus stem from the fact that the domain resolved to an IP address that was previously identified as an Active Indicator of Compromise (IoC) associated with a 2021 campaign targeting companies operating in Southeast Asia, Europe and Africa.
According to the cybersecurity firm, the targeting of South Africa comes in the context of the country holding a 10-day joint naval exercise with Russia and China this year.
“Alloy Taurus remains an active threat to telecommunications, finance and government organizations in Southeast Asia, Europe and Africa“Unit 42 said.
“The detection of a Linux variant of the PingPull malware, as well as the recent use of the Sword2033 backdoor, suggests that the group continues to evolve its operations in support of its espionage activities.”
Why are operating systems on Linux kernels increasingly attacked?
The subject would require a separate article, but one thing that is as trivial as it is true can be said: the more widespread an operating system is, the more likely it is to be under attack.
Simply a matter of the law of large numbers, the number of machines running Linux-based operating systems (Ubuntu, ZorinOS, Lubuntu, Linux Lite OS, etc.) has skyrocketed in recent years, both for those who are “tired” of Windows , you want those with special needs and this has meant that the various bad guys gear up to keep “up with the times”.
As mentioned, however, this would require a separate article that discusses this topic in depth.
#Alloy #Taurus #hacker #group #PingPull #backdoor