Of note, the HTTP parameters z0, z1 and z2 and command handlers A-K, M also align to commands A-K, M observed in the web shell China Chopper. Timestomp file with specified timestamp in " %04d-%d-%d %d:%d:%d" format
#Picktorial update folder tree windows
The command handler supports the following functionality that aligns with both China Chopper capabilities and those observed in the PingPull Windows PE variant: Cmd The values in the z0, z1 and z2 parameters are used for the arguments passed to the command.Īfter running the command, the payload will send the results back to the C2 server via an HTTPS request that resembles the beacon request, but contains Base64 encoded ciphertext. The value in the P29456789A1234sS parameter will contain a single upper case character between A and K, as well as M, which the payload will use as the command value. Once decoded, the cleartext resembles HTTP parameters and the payload will parse the cleartext for & and = with the following parameters: Figure 2. This is the same key that we previously observed in the original Windows PE variant of PingPull. The payload then expects the C2 server to respond with data that is Base64 encoded ciphertext, encrypted with AES using P29456789A1234sS as the key. It uses a statically linked OpenSSL (OpenSSL 0.9.8e) library to interact with the domain over HTTPS via the following HTTP POST request: Figure 1. Upon execution, this sample is configured to communicate with the domain yrhsywu2009.zaptoorg over port 8443 for C2. This determination was made based on matching HTTP communication structure, POST parameters, AES key, and C2 commands, which are outlined below. Despite a largely benign verdict, additional analysis has determined that this sample is a Linux variant of PingPull malware. On March 7, 2023, the following sample was uploaded to VirusTotal. Related Unit 42 TopicsĪlloy Taurus, PingPull, Advanced Persistent ThreatĪdditional Resources PingPull Linux Variant The Advanced URL Filtering and DNS Security Cloud-Delivered Security Services can help protect against C2 infrastructure. Palo Alto Networks customers receive protections from the threats described in this blog through Cortex XDR and WildFire malware analysis. Recent activity by Alloy Taurus in South Africa and Nepal.Sword2033 samples linked to the same command and control (C2) infrastructure.We provide a detailed breakdown of the following: In recent years we have also observed the group expand their targeting to include financial institutions and government entities.
This group has historically targeted telecommunications companies operating across Asia, Europe and Africa. Operating since at least 2012, Alloy Taurus (aka GALLIUM, Softcell) is assessed to be a Chinese advanced persistent threat (APT) group that routinely conducts cyberespionage campaigns. Monitoring its use across several campaigns, in June 2022 Unit 42 published research outlining the functionality of PingPull and attributed the use of the tool to Alloy Taurus. The first samples of PingPull malware date back to September 2021. While following the infrastructure leveraged by the actor for this PingPull variant, we also identified their use of another backdoor we track as Sword2033. Unit 42 researchers recently identified a new variant of PingPull malware used by Alloy Taurus actors designed to target Linux systems.
0 kommentar(er)
