A new Linux variant of the PingPull malware used by Chinese advanced persistent threat (APT) group Alloy Taurus (Gallium) has been reported as an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa.

In an April 26 blog post, Unit 42 of Palo Alto Networks said that while they were tracking the infrastructure leveraged by the APT group for the PingPull Linux variant, they also identified its use of another backdoor they named Sword2033.

The Unit 42 researchers said the first samples of the PingPull malware date back to September 2021. Monitoring its use across several campaigns, Unit 42 published research in June outlining the functionality of PingPull and attributed the use of the tool to Alloy Taurus. The Chinese APT group has been operating since at least 2012, the researchers said.

As of April 26, Unit 42 said three out of 62 vendors found the sample of the Linux variant of the PingPull malware as malicious. This determination was made based on matching HTTP communication structure, POST parameters, AES keys, and C2 commands, which are outlined in the blog post. The researchers also found that Sword2033 runs as a simple backdoor that does the following: uploads a file to the system (#up); downloads a file from the system (#dn); executes a command, but appends before running it (exc /c:).

Chinese threat actors are known for using APTs to conduct espionage, unlike other criminal groups or nation-state actors whose motives are more monetarily motivated, said Timothy Morris, chief security advisor at Tanium. But this doesn’t mean they couldn’t use the malware for other nefarious means, said Morris.

“Like other malware, this has very comprehensive command-and-control that’s technically proficient, full of obfuscation tactics that utilizes IPv6, making it difficult to detect,” said Morris. “The three variants used (TCP, HTTPs, and ICMP) make it versatile and more stealthy. Unit 42 has provided several IOCs to help detect the malware.”

Andrew Barratt, vice president at Coalfire, added while the specifics of this malware are relatively well understood, at a macro level it shows that the business community needs to more carefully monitor attacks that leverage non-windows systems such as Linux. Barratt pointed out that because it's very easy to deploy Linux workloads using public cloud orchestration tools, it potentially makes the technology more available to less experienced system administrators who might miss the malware’s indicators and make mistakes unknowingly.

“It also shows the need for significant vigilance on the traffic you let ‘out’ of your systems,” said Barratt. “Many organizations have very weak egress filtering because of legacy applications or an unwillingness to do the analysis. This gives malware the ability to establish its command-and-control channel and then give value to an intruder. PingPull hides using ICMP traffic and while this protocol family is mostly used for troubleshooting — it still shouldn’t have free reign out of the network. A relatively small spend on egress management has often huge returns from a security perspective.”

Craig Burland, chief information security officer at Inversion6, agreed that security teams have to pay more attention to Linux systems. Burland said while companies have developed disciplined and effective processes to protect their Windows infrastructure, they have largely ignored Linux and embedded Linux, creating an area of weakness that hackers can easily exploit.

“From application servers to networking gear, Linux is everywhere,” said Burland. “And, it needs the same type of dedication and discipline to keep it secure and supported as Windows. Hopefully, organizations see this threat and quickly scale their patching programs. Otherwise, the bad guys will quickly seize the high ground in the battle for Linux devices.”