PingPull RAT Activity Observed in New in the Wild Attacks (GALLIUM APT)

Description

FortiGuard Labs is aware of a newly discovered in-the-wild remote access tool (RAT) used by GALLIUM APT, called PingPull. GALLIUM has targeted telecommunication, financial and governmental verticals, specifically in Africa, Europe and Southeast Asia in the past.

GALLIUM was first detailed by CyberReason and Microsoft in 2019 in an operation targeting telecom providers stealing call detail records (CDR) that contain transactional information of SMS messages, sent and received phone calls, timestamps and other records. GALLIUM uses various off the shelf tools, and modified open source tools and malware to attack organizations for various campaigns. PingPull was observed by Palo Alto Networks in this latest campaign. Usage of the China Chopper webshell is commonly associated with this APT group as well.

Powered by the CTA

Because of our partnership in the Cyber Threat Alliance alongside other trusted partner organizations, Fortinet customers were protected in advance of this announcement.

What is PingPull?

PingPull is a remote access trojan (RAT). What makes PingPull novel is the usage of ICMP (Internet Control Message Protocol) which is not a typical TCP/UDP packet, that allows the threat actor to evade detection as it is not often monitored for anomalous activity. PingPull can also leverage HTTPS and TCP as well for further evasion.

PingPull has been observed to install itself as a service for persistence. Besides containing typical RAT functionality, PingPull allows for a reverse shell further adding insult to injury. Previous RATs used by GALLIUM were modified versions of Poison Ivy and Gh0st Rat.

Who is GALLIUM?

GALLIUM is an APT group attributed to the Chinese government. The modus operandi of this group is to use various off the shelf tools to eventually compromise an organization via the utilization of stolen certificates to ultimately perform lateral movement within. Due to non-standardized APT naming conventions, GALLIUM is also known as Operation Soft Cell (CyberReason).

What is the Status of Coverage?

FortiGuard customers are protected against PingPull RAT by the following (AV) signatures:

W32/PossibleThreat

W64/Agent.BGA!tr

All known URIs are blocked by the WebFiltering Client.

Appendix

GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (Palo Alto Networks)

GALLIUM: Targeting Global Telecom (Microsoft)

Operation SoftCell: A Worldwide Campaign Against Telecommunications Providers (CyberReason)