Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.
Latest posts by Esme Greene (see all)
- “Ducktail” Hackers Target Facebook - September 28, 2023
- Okta Breach: Super Admin Hack - September 24, 2023
- Rackspace: $10.8M Cloud Shift - September 23, 2023
Chinese attackers’ most recent online spying attempts target Linux using new malware versions. Researchers have identified “Sword2033” as a backdoor and a new PingPull ransomware version as tools used by the attackers.
Unit 42 made the initial discovery of PingPull, a remote access trojan (RAT), last summer. The state-sponsored Chinese outfit Gallium, also known as Alloy Taurus, employed it in espionage operations. Governmental and financial institutions in Australia, Russia, Belgium, Malaysia, Vietnam, and the Philippines were the targets of those attacks.
The Investigation
Investigators from Unit 42 kept an eye on these espionage operations and discovered today—literally—that the Chinese hacker is once more employing PingPull in his most recent attacks, namely its new Linux edition and this time against sites in South Africa and Nepal.
Only 3 out of 62 antivirus vendors presently classify the ELF file PingPull for Linux as malicious. By comparing the HTTP communications structure, POST parameters, AES key, and directives from C2 servers, experts were able to conclude that this virus was a version of a well-known Windows infection.
The script handlers uncovered in PingPull resemble those seen in China Chopper, a web shell that is frequently used in attacks against Microsoft Exchange servers, according to Unit 42 researchers.
Researchers also uncovered a Sword2033 backdoor that was earlier undetected and made communication with the same C2 server as PingPull. It is a simpler tool with fundamental capabilities including exfiltrating files, posting files to a compromised machine, and running arbitrary instructions.
It is noteworthy that Unit 42 also discovered a second instance of Sword2033 connected to a separate C2 server. The remote server’s IP address indicates that this backdoor purposefully attempted to imitate a product of the South African military.
The Attackers Plan
In summary, Gallium attackers are expanding the market they are targeting and expanding their toolkit by utilizing the recently found Sword2023 backdoor as well as newer versions of PingPull for Linux.
Instead of depending exclusively on static detection techniques, organizations must create a complete security plan to successfully tackle this sophisticated threat.