For cybercriminal groups targeting the average user, it is usually enough that you keep your wits about you and don’t get tricked into exposing yourself. But in some cases, like the group known as GALLIUM, the average person is of no concern, as this group is after the big fish. Specifically, they go after the telecom, finance and government entities, and their new tool to do so is a remote access trojan known as PingPull.
As Palo Alto Networks reports, PingPull sets up a reverse shell on a compromised host, allowing cyber attackers to execute commands remotely. These range from being able to read, write and delete files to moving or copying files while mimicking the original’s creation, write and access times. It can even allow running of commands via cmd.exe remotely.
The report also says that GALLIUM has three variants of PingPull that are functionally the same, but use different communication protocols – ICMP, HTTP(S) and raw TCP. According to the report, few organisations implement ICMP traffic inspection on their networks, which makes that particular variant difficult to detect.
ADVERTISEMENT
It may also be worth mentioning that GALLIUM is also known as Softcell. And on that note, Palo Alto Networks believes it to be a Chinese state-sponsored group. This assumption is made based on not only the group’s geographical targeting and sector-specific focus, but also its use of malware and tactics, techniques and procedures of other known state-backed groups.
(Source: Palo Alto Networks)
Follow us on Instagram, Facebook, Twitter or Telegram for more updates and breaking news.
