BleepingComputer reports that Chinese state-backed threat operation Gallium, also known as Alloy Taurus, has leveraged an updated PingPull malware variant and the novel Sword2033 in new attacks aimed at Linux systems in South Africa and Nepal.
Unit 42 researchers discovered that Gallium's new PingPull malware for Linux is a Windows malware port as evidenced by HTTP communication structure, AES key, command-and-control server command, and POST parameter similarities. Among the commands received by the malware, which is only detected by three of 62 anti-virus solutions, include file or folder deletion, text file reading and writing, directory creation, and command execution.
Meanwhile, two other Sword2023 ELF backdoors have also been discovered to be leveraged by Gallium in its attacks, with the first exhibiting simpler functions, including file exfiltration, file uploading, and command execution capabilities. However, attackers were noted by researchers to have used a different C2 address spoofing the South African military for the second Sword2023 sample.
Several U.S. defense and government organizations have been targeted by state-backed Chinese hacking group Bronze Silhouette, also known as Volt Typhoon, for military intelligence over a period of at least two years, according to The Record, a news site by cybersecurity firm Recorded Future.
Russian, North Korean, and Iranian advanced persistent threat operations have been launching more attacks aimed at compromising small- and medium-sized businesses, as well as their regional managed service providers, reports SecurityWeek.