Hackers have launched a fresh cyber espionage campaign using different versions of Linux malware. Among the malware variants deployed are a new PingPull edition and an unrecorded backdoor called ‘Sword2033.’ PingPull is classified as a Remote Access Trojan (RAT), and was previously identified by Unit 42 in espionage attacks conducted by the Chinese state-sponsored group Gallium or Alloy Taurus last summer. The attacks were aimed at government and financial institutions in Australia, Belgium, Malaysia, the Philippines, Russia, and Vietnam.
Unit 42 reports that Gallium, a Chinese state-sponsored group, has launched new malware variants against targets in South Africa and Nepal. One of these variants is PingPull, a Linux version only three out of 62 antivirus vendors currently detect as malicious. Unit 42 discovered that the Windows malware was ported over by observing similarities in the HTTP communication structure, POST parameters, AES key, and commands from the threat actor’s command and control (C2) server.
These parameters and corresponding commands include functions such as listing folders, reading and writing text files, and deleting files and folders. PingPull’s command handlers match those used in the ‘China Chopper malware,’ a web shell heavily employed in attacks against Microsoft Exchange servers. Furthermore, Unit 42 found a new ELF backdoor named Sword2023 that communicates with the same C2 server as PingPull. Sword2023 is a simpler tool that performs functions like uploading and exfiltrating files and executing commands.
A second Sword2023 sample was uncovered by the cybersecurity firm, which was connected to a separate command and control (C2) address that pretended to be the South African military. Unit 42 noted that this sample was linked to a SoftEther VPN address, a tool that Gallium previously utilized in its operations.
The researchers believe this choice was not accidental, as South Africa engaged in joint military exercises with Russia and China in February 2023. To sum up, Gallium is broadening its target range and enhancing its arsenal by utilizing new Linux versions of PingPull and the recently discovered Sword2023 backdoor. Organizations must implement a comprehensive security strategy to counter this sophisticated threat rather than relying solely on static detection methods.
