Hunting for new GALLIUM APT Group in Network

0

Researchers from Palo Alto Networks defined the PingPull RAT as a “difficult-to-detect” backdoor that leverages the Internet Control Message Protocol (ICMP) for C2 communications. Experts also found PingPull variants that use HTTPS and TCP for C2 communications instead of ICMP.

The activity of the APT group was first reported by Microsoft in December 2019, when the Microsoft Threat Intelligence Center (MSTIC) warned of the GALLIUM threat group targeting global telecommunication providers worldwide. However, the group has been active at least since 2012.

Since 2021, the cyberespionage group has started targeting financial institutions and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Unlike past attacks, the group started using the PingPull RAT.

The PingPull Trojan is written in Visual C++, it was used by threat actors to access a reverse shell and run arbitrary commands on compromised systems.

PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server. The C2 server will reply to these Echo requests with an Echo-Reply packet to issue commands to the system.” reads the analysis published by Palo Alto Networks. “Continuing this method of pivoting across all of the PingPull samples and their associated C2 domains have resulted in the identification of over 170 IP addresses associated with this group dating back to late 2020.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

The researchers pointed out that GALLIUM is an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa. The group is improving its cyber espionage capabilities.

Hunt Ideas:

  • PingPull samples that use ICMP C2 communications. Check for ICMP Echo Request ( Type 8 & Code 0 ) and ICMP Echo Reply ( Type 0 )  in firewall logs both outbound/inbound.

Also Read: ICMP Attacks – Types & Codes For Log Analysis , Detection & Defense

  • Another variant of PingPull uses HTTPS requests to communicate with its C2 server instead of ICMP, Hunt for HTTPS protocol with POST method which contains keyword “PROJECT”
  • All the variants use the unique identifier string generated by PingPull that begins with PROJECT. But in some protocols only we can detect in I.E HTTPS/HTTP
  • Pingpull try to mimic windows legitimate service ( iphlpsvc ) with a fake one ( Iph1psvc ), Hunt for event ID 4697 and check for the keyword “Iph1psvc”

Indicators of Compromise

Samples

de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761

b4aabfb8f0327370ce80970c357b84782eaf0aabfc70f5e7340746f25252d541

fc2147ddd8613f08dd833b6966891de9e5309587a61e4b35408d56f43e72697e

c55ab8fdd060fb532c599ee6647d1d7b52a013e4d8d3223b361db86c1f43e845

f86ebeb6b3c7f12ae98fe278df707d9ebdc17b19be0c773309f9af599243d0a3

8b664300fff1238d6c741ac17294d714098c5653c3ef992907fc498655ff7c20

​​1ce1eb64679689860a1eacb76def7c3e193504be53ebb0588cddcbde9d2b9fe6

PingPull C2 Locations

df.micfkbeljacob[.]com

t1.hinitial[.]com

5.181.25[.]55

92.38.135[.]62

5.8.71[.]97

Domains

micfkbeljacob[.]com

df.micfkbeljacob[.]com

jack.micfkbeljacob[.]com

hinitial[.]com

t1.hinitial[.]com

v2.hinitial[.]com

v3.hinitial[.]com

v4.hinitial[.]com

v5.hinitial[.]com

goodjob36.publicvm[.]com

goodluck23.jp[.]us

helpinfo.publicvm[.]com

Mailedc.publicvm[.]com

IP Addresses

(Active in last 30 days)

92.38.135[.].62

5.181.25[.]55

5.8.71[.]97

101.36.102[.]34

101.36.102[.]93

101.36.114[.]167

101.36.123[.]191

103.116.47[.]65

103.179.188[.]93

103.22.183[.]131

103.22.183[.]138

103.22.183[.]141

103.22.183[.]146

103.51.145[.]143

103.61.139[.]71

103.61.139[.]72

103.61.139[.]75

103.61.139[.]78

103.61.139[.]79

103.78.242[.]62

118.193.56[.]130

118.193.62[.]232

123.58.196[.]208

123.58.198[.]205

123.58.203[.]19

128.14.232[.]56

152.32.165[.]70

152.32.203[.]199

152.32.221[.]222

152.32.245[.]157

154.222.238[.]50

154.222.238[.]51

165.154.52[.]41

165.154.70[.]51

167.88.182[.]166

176.113.71[.]62

2.58.242[.]230

2.58.242[.]231

2.58.242[.]235

202.87.223[.]27

212.115.54[.]54

37.61.229[.]104

45.116.13[.]153

45.128.221[.]61

45.128.221[.]66

45.136.187[.]98

45.14.66[.]230

45.154.14[.]132

45.154.14[.]164

45.154.14[.]188

45.154.14[.]254

45.251.241[.]74

45.251.241[.]82

45.76.113[.]163

47.254.192[.]79

92.223.30[.]232

92.223.30[.]52

92.223.90[.]174

92.223.93[.]148

92.223.93[.]222

92.38.139[.]170

92.38.149[.]101

92.38.149[.]241

92.38.171[.]127

92.38.176[.]47

107.150.127[.]124

118.193.56[.]131

176.113.71[.]168

185.239.227[.]12

194.29.100[.]173

2.58.242[.]236

45.128.221[.]182

45.154.14[.]191

47.254.250[.]117

79.133.124[.]88

103.137.185[.]249

103.61.139[.]74

107.150.112[.]211

107.150.127[.]140

146.185.218[.]65

152.32.221[.]242

165.154.70[.]62

176.113.68[.]12

185.101.139[.]176

188.241.250[.]152

188.241.250[.]153

193.187.117[.]144

196.46.190[.]27

2.58.242[.]229

2.58.242[.]232

37.61.229[.]106

45.128.221[.]172

45.128.221[.]186

45.128.221[.]229

45.134.169[.]147

103.170.132[.]199

107.150.110[.]233

152.32.255[.]145

167.88.182[.]107

185.239.226[.]203

185.239.227[.]34

45.128.221[.]169

45.136.187[.]41

137.220.55[.]38

45.133.238[.]234

103.192.226[.]43

92.38.149[.]88

5.188.33[.]237

146.185.218[.]176

43.254.218[.]104

43.254.218[.]57

43.254.218[.]98

92.223.59[.]84

43.254.218[.]43

81.28.13[.]48

89.43.107[.]191

103.123.134[.]145

103.123.134[.]161

103.123.134[.]165

103.85.24[.]81

212.115.54[.]241

43.254.218[.]114

89.43.107[.]190

103.123.134[.]139

103.123.134[.]240

103.85.24[.]121

103.169.91[.]93

103.169.91[.]94

45.121.50[.]230

Source/Credits: https://unit42.paloaltonetworks.com/pingpull-gallium/

hps://securityaffairs.co/wordpress/132217/apt/gallium-apt-pingpull-trojan.html

Previous articleQBot returns with new TTPS – Detection & Response
Next articleFormBook Malware on The Rise – Detection & Response
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here