• Mon. Aug 21st, 2023

Chinese Criminals Deploy New Linux Malware Variants for Espionage Campaigns

Jun 5, 2023
Chinese Criminals Deploy New Linux Malware Variants for Espionage Campaigns
Harper Stewart

New Linux malware variants are being utilized by hackers in cyber espionage attacks, including a recently discovered PingPull variant and an undocumented backdoor known as “Sword2033.”

The RAT (remote access trojan) nicknamed PingPull was first discovered by Unit 42 last summer during espionage operations carried out by the Chinese state-sponsored outfit Gallium, also known as Alloy Taurus. Australian, Russian, Belgian, Malaysian, Vietnamese, and Philippine government and financial institutions were the targets of the attacks.

The Chinese attacker is reportedly using new malware versions against victims in South Africa and Nepal, according to Unit 42, which has been following these espionage efforts.

PingPull on Linux

Only 3 of a total 62 antivirus vendors now identify the Linux version of PingPull’s ELF file as dangerous.

By comparing the HTTP communication order, POST arguments, AES key, and the directives it takes from the criminal performer’s C2 server, Unit 42 was able to conclude that it is a version of the well-known Windows malware.

A single capital letter in the HTTP parameter identifies the commands the C2 transmits to the virus, and the payload sends base64-encoded requests back to the server with the outcomes.

The web shell known as “China Chopper” was widely used in assaults against Microsoft Exchange servers, and Unit 42 notes that the command handlers utilized in PingPull are similar to those found in that malware.

More about Sword2023

Using a new C2 address to impersonate the South African military, Unit 42 found a second Sword2023 sample.

The identical sample was connected to an address for a SoftEther VPN, a product Gallium has been reported to utilize.

In February 2023, South Africa participated in combined military drills with Russia and China, according to the cybersecurity firm, so this wasn’t a random selection.

Finally, combining the newly released Linux PingPull variants and the recently revealed Sword2023 backdoor, Gallium continues to hone its arsenal and widen its target area.