Telecommunication networks, including Internet Service Providers (ISPs) in Malaysia are currently being targeted by a hacking group called Gallium, according to cybersecurity company Palo Alto Networks.
Gallium (also known as Operation Soft Cell), an advanced persistent threat (APT) group, is notorious for its attacks primarily aimed at telecom companies operating in Southeast Asia, Europe and Africa, dating as far back as 2012.
An advanced persistent threat (APT) is a sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network in order to steal highly sensitive data over a prolonged period of time.
Executing an APT attack requires a higher degree of customization and sophistication than a traditional attack. Adversaries are typically well-funded, experienced teams of cybercriminals that target high-value organizations.
Unit 42, a cybersecurity team from Palo Alto Networks recently identified a new, difficult-to-detect remote access trojan named PingPull being used by Gallium. PingPull is a “difficult-to-detect” backdoor, notable for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications, according to the research published by Unit 42.
PingPull has the capability to leverage three protocols (ICMP, HTTP(S) and raw TCP) for command and control (C2). “While the use of ICMP tunneling is not a new technique, PingPull uses ICMP to make it more difficult to detect its C2 communications, as few organisations implement inspection of ICMP traffic on their networks,”
According to Unit 42, over the past year, this group has extended its targeting beyond telecommunication companies to also include financial institutions and government entities. “During this period, we have identified several connections between GALLIUM infrastructure and targeted entities across Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam,”
Unit 42 said that Gallium is likely a Chinese state-sponsored group.
The PingPull malware is written in Visual C++ and provides a threat actor the ability to run commands and access a reverse shell on a compromised host. There are three variants of PingPull that are all functionally the same but use different protocols for communications with their C2: ICMP, HTTP(S) and raw TCP. In each of the variants, PingPull will create a custom string with the following structure that it will send to the C2 in all interactions, which we believe the C2 server will use to uniquely identify the compromised system:
It’s not immediately clear how the targeted networks are breached, although Gallium is known to exploit internet-exposed applications to gain access. Unit 42 has published a report including over 100 IP addresses associated with the group.[link]– Palo Alto Networks