Alloy Taurus Hackers Update PingPull Malware to Target Linux Systems

Written by

The threat actor known as Alloy Taurus has been observed deploying a new variant of the PingPull malware targeting Linux systems.

Assessed by Palo Alto Networks’ Unit 42 to be a Chinese advanced persistent threat (APT) group focusing on espionage campaigns, Alloy Taurus has been active since at least 2012.

Read more on China-based threat actors: EU Cybersecurity Agency Warns Against Chinese APTs

“This group has historically targeted telecommunications companies operating across Asia, Europe and Africa,” wrote Unit 42 in an advisory published earlier today. “In recent years, we have also observed the group expand their targeting to include financial institutions and government entities.”

As part of the new campaign, the security researchers said they also saw Alloy Taurus targeting individuals in South Africa and Nepal.

The Linux sample observed by Unit 42 was initially identified as benign by most vendors. However, further analysis revealed that it matched the communication structure, parameters and commands of the known PingPull malware. 

The malicious tool is designed to communicate with its command-and-control (C2) server using encrypted data and can receive and execute commands from the server. The results of these commands are then sent back to the server for further action. 

According to Unit 42, this Linux variant of PingPull malware uses the same AES key as the original Windows PE (Preinstallation Environment) variant for encrypting its communication with the C2 server.

While investigating the C2 domain of the PingPull Linux variant, researchers also identified an additional sample that communicated with the same domain. 

This malware was found to be a backdoor the team called Sword2033. The backdoor supports three essential functions: uploading and downloading files to and from the system, and executing commands. These commands are identical in value and functionality to those used by the PingPull malware. Further analysis of the C2 infrastructure revealed links to Alloy Taurus activities.

“The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of their espionage activities,” reads the advisory.

“We encourage all organizations to leverage our findings to inform the deployment of protective measures to defend against this threat group.”

The findings come amid Russian-backed hackers turning to cyber-espionage in Ukraine.

What’s hot on Infosecurity Magazine?