View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Chinese cyber-espionage gang Alloy Taurus writes PingPull malware for Linux

One of China's most prolific cybercrime gangs has apparently come up with new malware to target the operating system.

By Claudia Glover

Linux systems are being targeted by a Chinese cyber-espionage gang through a bespoke variation of the open-source operating system. The gang, called Alloy Taurus, primarily targets organisations in Europe, South East Asia and Africa, according to new research.

Chinese cyber-espionage gang designs malware to infiltrate Linux systems. (Photo by Stanislaw Mikulski/Shutterstock)

The malware used by the hacking gang is called PingPull, and a version of it specifically targeting Linux has been found in the wild, according to a report from security company Palo Alto Networks, released today.

Alloy Taurus writes Pingpull variant for Linux

PingPull malware is a remote access trojan (RAT) used by cyber espionage gang Alloy Taurus to infiltrate systems in telecoms companies, government departments and financial institutions, researchers on Trend Micro’s Unit 42 team have revealed.

At the time of writing, three out of 62 vendors have found the sample to be malicious, but Alloy Taurus’s track record gives the research team cause for concern

The gang has been active since 2012, but has expanded its victim base within the past two years to include Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam, Unit 42 says.

Evidence of the malicious code appearing to impersonate the South African military has been uncovered, at the time of its combined naval exercises with China and Russia.

Alloy Taurus, also known as GALLIUM, appears to be used by the Chinese state for reconnaissance missions. “GALLIUM’s exploitation of internet-facing services indicates it’s likely they use open source research and network scanning tools to identify likely targets,” Microsoft’s security researchers said in 2019.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

The command handlers used in PingPull also match those observed in another malware named ‘China Chopper,’ a web shell seen heavily used in attacks against Microsoft Exchange servers, the report states.

Other tools used by Alloy Taurus

Investigating PingPull, researchers also found a malware variant under the control of the same command and control server called Sword2033, which appears in the same attacks but with far fewer functions.

Additionally, the gang has been known to use SoftEther VPN, which is downloaded onto Linux and Microsoft. “Alloy Taurus is known for leveraging the SoftEther VPN service in their operations to facilitate access and maintain persistence to their targeted network,” the Unit42 report says.

The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of its espionage activities, explains the report. “We encourage all organisations to leverage our findings to inform the deployment of protective measures to defend against this threat group,” the researchers said.

Read more: APT-27 hackers target Linux with malware

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.