• Tue. Apr 16th, 2024

Chinese Criminals Deploy New Linux Malware Variants for Espionage Campaigns

Avatar photo

ByHarper Stewart

Jun 5, 2023
Chinese Criminals Deploy New Linux Malware Variants for Espionage Campaigns
Harper Stewart
Latest posts by Harper Stewart (see all)

New Linux malware variants are being utilized by hackers in cyber espionage attacks, including a recently discovered PingPull variant and an undocumented backdoor known as “Sword2033.”

The RAT (remote access trojan) nicknamed PingPull was first discovered by Unit 42 last summer during espionage operations carried out by the Chinese state-sponsored outfit Gallium, also known as Alloy Taurus. Australian, Russian, Belgian, Malaysian, Vietnamese, and Philippine government and financial institutions were the targets of the attacks.

The Chinese attacker is reportedly using new malware versions against victims in South Africa and Nepal, according to Unit 42, which has been following these espionage efforts.

PingPull on Linux

Only 3 of a total 62 antivirus vendors now identify the Linux version of PingPull’s ELF file as dangerous.

By comparing the HTTP communication order, POST arguments, AES key, and the directives it takes from the criminal performer’s C2 server, Unit 42 was able to conclude that it is a version of the well-known Windows malware.

A single capital letter in the HTTP parameter identifies the commands the C2 transmits to the virus, and the payload sends base64-encoded requests back to the server with the outcomes.

The web shell known as “China Chopper” was widely used in assaults against Microsoft Exchange servers, and Unit 42 notes that the command handlers utilized in PingPull are similar to those found in that malware.

More about Sword2023

Using a new C2 address to impersonate the South African military, Unit 42 found a second Sword2023 sample.

The identical sample was connected to an address for a SoftEther VPN, a product Gallium has been reported to utilize.

In February 2023, South Africa participated in combined military drills with Russia and China, according to the cybersecurity firm, so this wasn’t a random selection.

Finally, combining the newly released Linux PingPull variants and the recently revealed Sword2023 backdoor, Gallium continues to hone its arsenal and widen its target area.

Avatar photo

Harper Stewart

With a deep understanding of the complexities of the Dark Web, Harper curates informative and thought-provoking content for our readers. Her knowledge of the hidden corners of the internet and cybersecurity helps shed light on the often mysterious and illicit activities that take place in this realm.