Threat Management, Distributed Workforce

Chinese-linked APT adds governments, financial companies to target list

Share
A traffic light shows red under a cellular phone tower that stands on top of an office building on Jan. 2, 2019, in Berlin. (Photo by Sean Gallup/Getty Images)
A Chinese-linked group is targeting global infrastructure, Palo Alot Netrwork's researchers disclosed. Pictured: A traffic light shows red under a cellular phone tower that stands on top of an office building on Jan. 2, 2019, in Berlin. (Photo by Sean Gallup/Getty Images)

A suspected Chinese-linked hacking outfit known to target telecommunications infrastructure is expanding its portfolio to target entities in the financial and government sectors using a new piece of malware, according to researchers from Palo Alto Networks Unit 42.

The threat group known as GALLIUM has been spotted leveraging a new remote access trojan tool — dubbed PingPull — that is written in Visual C++ and utilizes three different internet network protocols to identify compromised systems and communicate with command-and-control infrastructure: Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP) as well as Hypertext Transfer Protocol (HTTP and HTTPS). It also uses ICMP tunneling techniques to hide those communications from network defenders.

“GALLIUM remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa. Over the past year, we have identified targeted attacks impacting nine nations,” Unit 42 researchers wrote.

The development of custom malware tools marks a shift from the group’s earlier operations in 2018 and 2019, when it mostly relied on publicly available exploits to hack unpatched systems in a worldwide campaign targeting telecommunications firms.

A sample of the malware gleaned from one victim organization in Vietnam in September 2021 found that it called out to a domain that used the same certificates across numerous subdomains. Using that foothold, the researchers found more samples and mapped out their corresponding digital infrastructure to identify at least 170 IP addresses associated with the campaign dating back to late 2020.

According to the company, both the U.S. National Security Agency’s Cybersecurity Collaboration Center and Australian Cyber Security Centre contributed to the findings.

“Over the past year, this group has extended its targeting beyond telecommunication companies to also include financial institutions and government entities,” researchers wrote. “During this period, we have identified several connections between GALLIUM infrastructure and targeted entities across Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Related

Novel WolfsBane backdoor leveraged in Chinese attacks against Linux systems

Attacks with Wolfsbane commence with the deployment of the 'cron' dropper delivering the KDE desktop component-spoofing launcher, which deactivates SELinux and alters user configuration files before triggering the privacy malware component that has file operation, data theft, and system manipulation command support, an analysis from ESET revealed.

Related Events

Related Terms

BackdoorBring Your Own Device (BYOD)Business Email Compromise (BEC)DNS SpoofingDeepfakeDefacementDenial of ServiceDistributed ScansDrive-by DownloadDumpSec

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.