A new variant of PingPull malware has been discovered by Unit 42 researchers, who suspect it is being employed by Chinese state-sponsored hackers.



The Alloy Taurus group is known for conducting cyberespionage campaigns and has been active since at least 2012. In addition to using the new variant of PingPull, they have also been seen employing a backdoor called Sword2033, which shares the same command and control infrastructure. The research also revealed that the new variant of PingPull is specifically designed to target Linux systems.

Alloy Taurus has previously targeted telecommunications companies across Europe, Africa, and Asia, but has more recently set its sights on financial institutions and government entities. The group's activities first came to light in September 2021, and PingPull malware has been a key weapon in its arsenal ever since.

The researchers were able to identify the new variant of PingPull when it was uploaded to VirusTotal, and further analysis indicated that it originated from the same group. The malware is configured to communicate with its command and control server over port 8443 using HTTPS. It can also execute instructions sent from the server in Base64-encoded ciphertext.

To protect against these threats, Palo Alto Networks recommends using a Next-Generation Firewall (NGFW) with machine learning capabilities, an XDR solution, and an XSOAR or XSIAM solution to provide SOC analysts with a comprehensive understanding of the threat landscape.

This malware represents a significant advancement in the sophistication of malicious software targeting Linux-based environments.
The malware is designed to exploit vulnerabilities in the Linux kernel and associated software components. It may utilize advanced techniques such as kernel-level rootkits, which can give attackers deep access to the compromised systems and allow them to evade detection by traditional security measures.

Furthermore, the malware may incorporate complex evasion mechanisms to bypass modern security solutions, including signature-based antivirus and intrusion detection systems. This could involve polymorphic code or obfuscation techniques to make the malware's behavior appear benign or to actively thwart analysis efforts.
The malware may include command-and-control (C2) capabilities, enabling remote attackers to issue commands, exfiltrate sensitive data, or expand their control within the compromised networks. The C2 infrastructure might be distributed across multiple servers, making it challenging for defenders to disrupt.

To combat this threat, cybersecurity professionals should conduct in-depth malware analysis to identify the specific indicators of compromise and develop custom detection signatures. Furthermore, network traffic monitoring and anomaly detection mechanisms should be employed to identify potential signs of malicious activity associated with this new Linux malware.

Collaboration with industry peers and information sharing through threat intelligence platforms are also vital to ensure that the broader cybersecurity community can respond effectively to this emerging threat. By pooling knowledge and resources, we can collectively enhance our ability to defend against and mitigate the impact of this new wave of Linux-focused malware.

They've shifted from telcos in Europe, Africa, Asia to financial and government targets. Detected via VirusTotal, it communicates over HTTPS port 8443, executing Base64-encoded commands. Countermeasures include deploying NGFW with machine learning, XDR for detection, and XSOAR/XSIAM for SOC insights.