The Gallim APT (Advanced Persistent Threat) group has been running an attack campaign targeting financial institutions and government entities across several continents. More specifically, this latest operation of the likely Chinese-sponsored hacker group has been leveraged against targets in Russia, Belgium, Vietnam, Cambodia, Australia, Philippines, Malaysia and Afghanistan. Furthermore, according to the cybersecurity researchers at Palo Alto Network's Unit42, the threat actor has deployed a new especially stealthy RAT (Remote Access Trojan) tracked as 'PingPull.'
The PingPull threat is designed to infiltrate the targeted devices and then create a reverse shell on them. Afterward, the attackers will have the ability to remotely execute arbitrary commands. The report by Unit42 reveals that three separate variants of PingPull have been identified. The major difference between them is the utilized communication protocol - ICMP, HTTPS or TCP. It is likely that the Gallium hackers pick the variant that will provide them with the best chances to evade specific network detection methods or security tools based on previously acquired information about the target.
All three variants exist on the infiltrated machines as a service that has a description mimicking that of a legitimate service. The commands recognized by the variants are also the same. They range from manipulating the file system, running commands via cmd.exe, enumerating the storage volumes, the ability to timestop files, and sending data to the Command-and-Control (C2, C&C) server of the operation. The incoming traffic from the C2 is encrypted with the AES cryptographic algorithm. To decrypt the commands and their parameters, the beacon has a pair of hardcoded keys.