PingPull Malware Detection: New Stealthy RAT Used by Gallium APT

Researchers report new attacks with an upgraded remote access trojan (RAT) dubbed PingPull launched by Gallium hackers. The Gallium APT has been around since at least 2012 and bears the markings of what is likely a nation-state threat actor, believed to be backed by the Chinese government. Their latest activity is characterized by APT’s strive to evolve and expand the used malware toolsets. In their previous attacks, the Gallium hackers employed Gh0st RAT and Poison Ivy malware, this time striking with the PingPull RAT.

The malware family called PingPull is characterized by outstanding stealthiness. It is written in Visual C++ and uses ICMP, HTTP(S), and raw TCP as the protocols for C2. The use of ICMP tunneling ensures the PingPull is difficult to detect.

Detect PingPull Malware

In order to effortlessly detect the signature ID of PingPull malware, use the Sigma rule below released by the keen Threat Bounty Program developer Nattatorn Chuensangarun, who is always on the lookout for the new threats:

Palo Alto Networks Signature Detection for PingPull Malware used by GALLIUM

SOC Prime’s Threat Bounty Program welcomes both experienced and aspiring threat hunters to share their Sigma-based detection content in exchange for expert coaching and steady income.

The detection rule above is aligned with the MITRE ATT&CK® framework v.10, addressing the Command and Control tactic represented by the Remote Access Software (T1219) technique, and can be used across 21 SIEM, EDR, and XDR platforms.

SOC Prime offers efficient and cost-effective solutions to fend off even the most sophisticated attempts at compromising your system. The Detect & Hunt button unlocks access to the Detection as Code platform, allowing SOC practitioners to maximize their professional efficacy by accelerating both retrospective and proactive threat hunting and cooperating with leaders in the worldwide cybersecurity community.

Instantly hunt for the latest threats within 25+ supported SIEM, EDR, and XDR technologies with our innovative Cyber Threats Search Engine. Press the Explore Threat Context button to access in-depth cyber threat information and relevant context with sub-second search performance.

Detect & Hunt Explore Threat Context

PingPull Malware Description

Security analysts at Unit42 (Palo Alto Networks) released research detailing the latest attacks with PingPull malware. Behind the disclosed hacks was the China-backed Gallium APT group that has been terrorizing telecom providers worldwide for a while now. This latest wave is aimed at Europe, Southeast Asia, and Africa entities in a broad array of sectors, including the financial, telecommunications, and government, the researchers wrote this month.

Chinese state-backed hackers reportedly launched a number of attacks in the last couple of years – according to the current data, adversaries have used 170+ IP addresses since late 2020.

Upon infiltrating the target, the RAT runs as a service with a bogus service description to confuse users and establish persistence. Experts also observed that there are three variants of this malware with the same functionality but designed to leverage different protocols with communication with their command and control centers. PingPull allows adversaries to run commands, manipulate the files, and access a reverse shell within compromised systems.

State-backed APTs are an excelling and dangerous facet of the modern cybersecurity threat landscape. The SOC Prime platform superchargers your defense against APTs’ ever-evolving hacking solutions. Test the content streaming capabilities of the CCM module and help your organization empower daily SOC operations with cyber threat intelligence. Keep the finger on the pulse of the fast-paced environment of cybersecurity risks and get the best mitigation solutions with SOC Prime.