FortiGuard Labs is aware of a newly discovered in-the-wild remote access tool (RAT) used by GALLIUM APT, called PingPull. GALLIUM has targeted telecommunication, financial and governmental verticals, specifically in Africa, Europe and Southeast Asia in the past.GALLIUM was first detailed by CyberReason and Microsoft in 2019 in an operation targeting telecom providers stealing call detail records (CDR) that contain transactional information of SMS messages, sent and received phone calls, timestamps and other records. GALLIUM uses various off the shelf tools, and modified open source tools and malware to attack organizations for various campaigns. PingPull was observed by Palo Alto Networks in this latest campaign. Usage of the China Chopper webshell is commonly associated with this APT group as well.Powered by the CTABecause of our partnership in the Cyber Threat Alliance alongside other trusted partner organizations, Fortinet customers were protected in advance of this announcement.What is PingPull?PingPull is a remote access trojan (RAT). What makes PingPull novel is the usage of ICMP (Internet Control Message Protocol) which is not a typical TCP/UDP packet, that allows the threat actor to evade detection as it is not often monitored for anomalous activity. PingPull can also leverage HTTPS and TCP as well for further evasion. PingPull has been observed to install itself as a service for persistence. Besides containing typical RAT functionality, PingPull allows for a reverse shell further adding insult to injury. Previous RATs used by GALLIUM were modified versions of Poison Ivy and Gh0st Rat.Who is GALLIUM?GALLIUM is an APT group attributed to the Chinese government. The modus operandi of this group is to use various off the shelf tools to eventually compromise an organization via the utilization of stolen certificates to ultimately perform lateral movement within. Due to non-standardized APT naming conventions, GALLIUM is also known as Operation Soft Cell (CyberReason).What is the Status of Coverage?FortiGuard customers are protected against PingPull RAT by the following (AV) signatures:W32/PossibleThreatW64/Agent.BGA!trAll known URIs are blocked by the WebFiltering Client.
More Stories
openjpeg2-2.5.3-1.fc40
FEDORA-2024-272544ceb9 Packages in this update: openjpeg2-2.5.3-1.fc40 Update description: Update to openjpeg-2.5.3 Fix 2 heap-buffer-overflow Read More
libxml2-2.12.9-1.fc40
FEDORA-2024-9f3765a04b Packages in this update: libxml2-2.12.9-1.fc40 Update description: Update to 2.12.9 Fixes CVE-2024-40896 Read More
libxml2-2.12.9-1.fc41
FEDORA-2024-867a14de12 Packages in this update: libxml2-2.12.9-1.fc41 Update description: Update to 2.12.9 Fixes CVE-2024-40896. Read More
iwd-3.3-1.fc40 libell-0.71-1.fc40
FEDORA-2024-0fa283c43a Packages in this update: iwd-3.3-1.fc40 libell-0.71-1.fc40 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
iwd-3.3-1.fc41 libell-0.71-1.fc41
FEDORA-2024-256818da09 Packages in this update: iwd-3.3-1.fc41 libell-0.71-1.fc41 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
A Vulnerability in Apache Struts2 Could Allow for Remote Code Execution
A vulnerability has been discovered in Apache Struts2, which could allow for remote code execution. Apache Struts2 is an open-source...