- Attackers Use Unsecured Apache NiFi Servers to Mine Cryptocurrencies - August 21, 2023
- Genesis Market Sold to an Unidentified Customer on the Dark Web - August 19, 2023
- Dark Web Drug Dealers Sentenced - August 18, 2023
New Linux malware variants are being utilized by hackers in cyber espionage attacks, including a recently discovered PingPull variant and an undocumented backdoor known as “Sword2033.”
The RAT (remote access trojan) nicknamed PingPull was first discovered by Unit 42 last summer during espionage operations carried out by the Chinese state-sponsored outfit Gallium, also known as Alloy Taurus. Australian, Russian, Belgian, Malaysian, Vietnamese, and Philippine government and financial institutions were the targets of the attacks.
The Chinese attacker is reportedly using new malware versions against victims in South Africa and Nepal, according to Unit 42, which has been following these espionage efforts.
PingPull on Linux
Only 3 of a total 62 antivirus vendors now identify the Linux version of PingPull’s ELF file as dangerous.
By comparing the HTTP communication order, POST arguments, AES key, and the directives it takes from the criminal performer’s C2 server, Unit 42 was able to conclude that it is a version of the well-known Windows malware.
A single capital letter in the HTTP parameter identifies the commands the C2 transmits to the virus, and the payload sends base64-encoded requests back to the server with the outcomes.
The web shell known as “China Chopper” was widely used in assaults against Microsoft Exchange servers, and Unit 42 notes that the command handlers utilized in PingPull are similar to those found in that malware.
More about Sword2023
Using a new C2 address to impersonate the South African military, Unit 42 found a second Sword2023 sample.
The identical sample was connected to an address for a SoftEther VPN, a product Gallium has been reported to utilize.
In February 2023, South Africa participated in combined military drills with Russia and China, according to the cybersecurity firm, so this wasn’t a random selection.
Finally, combining the newly released Linux PingPull variants and the recently revealed Sword2023 backdoor, Gallium continues to hone its arsenal and widen its target area.