Linux systems are being targeted by a Chinese cyber-espionage gang through a bespoke variation of the open-source operating system. The gang, called Alloy Taurus, primarily targets organisations in Europe, South East Asia and Africa, according to new research.
The malware used by the hacking gang is called PingPull, and a version of it specifically targeting Linux has been found in the wild, according to a report from security company Palo Alto Networks, released today.
Alloy Taurus writes Pingpull variant for Linux
PingPull malware is a remote access trojan (RAT) used by cyber espionage gang Alloy Taurus to infiltrate systems in telecoms companies, government departments and financial institutions, researchers on Trend Micro’s Unit 42 team have revealed.
At the time of writing, three out of 62 vendors have found the sample to be malicious, but Alloy Taurus’s track record gives the research team cause for concern
The gang has been active since 2012, but has expanded its victim base within the past two years to include Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam, Unit 42 says.
Evidence of the malicious code appearing to impersonate the South African military has been uncovered, at the time of its combined naval exercises with China and Russia.
Alloy Taurus, also known as GALLIUM, appears to be used by the Chinese state for reconnaissance missions. “GALLIUM’s exploitation of internet-facing services indicates it’s likely they use open source research and network scanning tools to identify likely targets,” Microsoft’s security researchers said in 2019.
The command handlers used in PingPull also match those observed in another malware named ‘China Chopper,’ a web shell seen heavily used in attacks against Microsoft Exchange servers, the report states.
Other tools used by Alloy Taurus
Investigating PingPull, researchers also found a malware variant under the control of the same command and control server called Sword2033, which appears in the same attacks but with far fewer functions.
Additionally, the gang has been known to use SoftEther VPN, which is downloaded onto Linux and Microsoft. “Alloy Taurus is known for leveraging the SoftEther VPN service in their operations to facilitate access and maintain persistence to their targeted network,” the Unit42 report says.
The identification of a Linux variant of PingPull malware, as well as recent use of the Sword2033 backdoor, suggests that the group continues to evolve their operations in support of its espionage activities, explains the report. “We encourage all organisations to leverage our findings to inform the deployment of protective measures to defend against this threat group,” the researchers said.