Researchers from Palo Alto Networks defined the PingPull RAT as a “difficult-to-detect” backdoor that leverages the Internet Control Message Protocol (ICMP) for C2 communications. Experts also found PingPull variants that use HTTPS and TCP for C2 communications instead of ICMP.
The activity of the APT group was first reported by Microsoft in December 2019, when the Microsoft Threat Intelligence Center (MSTIC) warned of the GALLIUM threat group targeting global telecommunication providers worldwide. However, the group has been active at least since 2012.
Since 2021, the cyberespionage group has started targeting financial institutions and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Unlike past attacks, the group started using the PingPull RAT.
The PingPull Trojan is written in Visual C++, it was used by threat actors to access a reverse shell and run arbitrary commands on compromised systems.
PingPull samples that use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server. The C2 server will reply to these Echo requests with an Echo-Reply packet to issue commands to the system.” reads the analysis published by Palo Alto Networks. “Continuing this method of pivoting across all of the PingPull samples and their associated C2 domains have resulted in the identification of over 170 IP addresses associated with this group dating back to late 2020.
Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes
The researchers pointed out that GALLIUM is an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa. The group is improving its cyber espionage capabilities.
Hunt Ideas:
- PingPull samples that use ICMP C2 communications. Check for ICMP Echo Request ( Type 8 & Code 0 ) and ICMP Echo Reply ( Type 0 ) in firewall logs both outbound/inbound.
Also Read: ICMP Attacks – Types & Codes For Log Analysis , Detection & Defense
- Another variant of PingPull uses HTTPS requests to communicate with its C2 server instead of ICMP, Hunt for HTTPS protocol with POST method which contains keyword “PROJECT”
- All the variants use the unique identifier string generated by PingPull that begins with PROJECT. But in some protocols only we can detect in I.E HTTPS/HTTP
- Pingpull try to mimic windows legitimate service ( iphlpsvc ) with a fake one ( Iph1psvc ), Hunt for event ID 4697 and check for the keyword “Iph1psvc”
Indicators of Compromise
Samples
de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761
b4aabfb8f0327370ce80970c357b84782eaf0aabfc70f5e7340746f25252d541
fc2147ddd8613f08dd833b6966891de9e5309587a61e4b35408d56f43e72697e
c55ab8fdd060fb532c599ee6647d1d7b52a013e4d8d3223b361db86c1f43e845
f86ebeb6b3c7f12ae98fe278df707d9ebdc17b19be0c773309f9af599243d0a3
8b664300fff1238d6c741ac17294d714098c5653c3ef992907fc498655ff7c20
1ce1eb64679689860a1eacb76def7c3e193504be53ebb0588cddcbde9d2b9fe6
PingPull C2 Locations
df.micfkbeljacob[.]com
t1.hinitial[.]com
5.181.25[.]55
92.38.135[.]62
5.8.71[.]97
Domains
micfkbeljacob[.]com
df.micfkbeljacob[.]com
jack.micfkbeljacob[.]com
hinitial[.]com
t1.hinitial[.]com
v2.hinitial[.]com
v3.hinitial[.]com
v4.hinitial[.]com
v5.hinitial[.]com
goodjob36.publicvm[.]com
goodluck23.jp[.]us
helpinfo.publicvm[.]com
Mailedc.publicvm[.]com
IP Addresses
(Active in last 30 days)
92.38.135[.].62
5.181.25[.]55
5.8.71[.]97
101.36.102[.]34
101.36.102[.]93
101.36.114[.]167
101.36.123[.]191
103.116.47[.]65
103.179.188[.]93
103.22.183[.]131
103.22.183[.]138
103.22.183[.]141
103.22.183[.]146
103.51.145[.]143
103.61.139[.]71
103.61.139[.]72
103.61.139[.]75
103.61.139[.]78
103.61.139[.]79
103.78.242[.]62
118.193.56[.]130
118.193.62[.]232
123.58.196[.]208
123.58.198[.]205
123.58.203[.]19
128.14.232[.]56
152.32.165[.]70
152.32.203[.]199
152.32.221[.]222
152.32.245[.]157
154.222.238[.]50
154.222.238[.]51
165.154.52[.]41
165.154.70[.]51
167.88.182[.]166
176.113.71[.]62
2.58.242[.]230
2.58.242[.]231
2.58.242[.]235
202.87.223[.]27
212.115.54[.]54
37.61.229[.]104
45.116.13[.]153
45.128.221[.]61
45.128.221[.]66
45.136.187[.]98
45.14.66[.]230
45.154.14[.]132
45.154.14[.]164
45.154.14[.]188
45.154.14[.]254
45.251.241[.]74
45.251.241[.]82
45.76.113[.]163
47.254.192[.]79
92.223.30[.]232
92.223.30[.]52
92.223.90[.]174
92.223.93[.]148
92.223.93[.]222
92.38.139[.]170
92.38.149[.]101
92.38.149[.]241
92.38.171[.]127
92.38.176[.]47
107.150.127[.]124
118.193.56[.]131
176.113.71[.]168
185.239.227[.]12
194.29.100[.]173
2.58.242[.]236
45.128.221[.]182
45.154.14[.]191
47.254.250[.]117
79.133.124[.]88
103.137.185[.]249
103.61.139[.]74
107.150.112[.]211
107.150.127[.]140
146.185.218[.]65
152.32.221[.]242
165.154.70[.]62
176.113.68[.]12
185.101.139[.]176
188.241.250[.]152
188.241.250[.]153
193.187.117[.]144
196.46.190[.]27
2.58.242[.]229
2.58.242[.]232
37.61.229[.]106
45.128.221[.]172
45.128.221[.]186
45.128.221[.]229
45.134.169[.]147
103.170.132[.]199
107.150.110[.]233
152.32.255[.]145
167.88.182[.]107
185.239.226[.]203
185.239.227[.]34
45.128.221[.]169
45.136.187[.]41
137.220.55[.]38
45.133.238[.]234
103.192.226[.]43
92.38.149[.]88
5.188.33[.]237
146.185.218[.]176
43.254.218[.]104
43.254.218[.]57
43.254.218[.]98
92.223.59[.]84
43.254.218[.]43
81.28.13[.]48
89.43.107[.]191
103.123.134[.]145
103.123.134[.]161
103.123.134[.]165
103.85.24[.]81
212.115.54[.]241
43.254.218[.]114
89.43.107[.]190
103.123.134[.]139
103.123.134[.]240
103.85.24[.]121
103.169.91[.]93
103.169.91[.]94
45.121.50[.]230
Source/Credits: https://unit42.paloaltonetworks.com/pingpull-gallium/
hps://securityaffairs.co/wordpress/132217/apt/gallium-apt-pingpull-trojan.html