PingPull Is A New Trojan That Targets Telecom, Finance, Government Entities

For cybercriminal groups targeting the average user, it is usually enough that you keep your wits about you and don’t get tricked into exposing yourself. But in some cases, like the group known as GALLIUM, the average person is of no concern, as this group is after the big fish. Specifically, they go after the telecom, finance and government entities, and their new tool to do so is a remote access trojan known as PingPull.

As Palo Alto Networks reports, PingPull sets up a reverse shell on a compromised host, allowing cyber attackers to execute commands remotely. These range from being able to read, write and delete files to moving or copying files while mimicking the original’s creation, write and access times. It can even allow running of commands via cmd.exe remotely.

The report also says that GALLIUM has three variants of PingPull that are functionally the same, but use different communication protocols – ICMP, HTTP(S) and raw TCP. According to the report, few organisations implement ICMP traffic inspection on their networks, which makes that particular variant difficult to detect.

Going back to GALLIUM, Palo Alto Networks say that the group established its reputation by targeting telecom companies in Southeast Asia, Europe and Africa. The report goes on to say that over the past year, when PingPull was discovered, the group’s victims included financial and government entities in Malaysia, among a list of other countries in Southeast Asia.

It may also be worth mentioning that GALLIUM is also known as Softcell. And on that note, Palo Alto Networks believes it to be a Chinese state-sponsored group. This assumption is made based on not only the group’s geographical targeting and sector-specific focus, but also its use of malware and tactics, techniques and procedures of other known state-backed groups.

(Source: Palo Alto Networks)