Geopolitics

Researchers ID new RAT developed by Chinese hacking group with growing target list

The remote access trojan mimics legitimate computer activity to make it harder to detect, the researchers said.

June 13, 2022

Rosetta Bonatti/Getty Images

An established Chinese hacking group known for targeting telecommunications, finance and government organizations around the world has developed a “new, difficult-to-detect” remote access trojan it is using as part of its espionage activities, researchers with Palo Alto Networks’ Unit 42 said in research published Monday.

The researchers spotted the malware as part of their ongoing monitoring of a hacking group known as Gallium, a Chinese state-sponsored group active since at least 2012 according to Mitre, a nonprofit research organization funded by private grants and the U.S. government.

Gallium has extended its targeting beyond telecommunications over the last year, the Unit 42 researchers wrote, to include financial institutions and government entities.

The remote access trojan (RAT), dubbed “PingPull” by the researchers, can make it more difficult to detect its command and control communications in part by leveraging the ICMP protocol, typically used by devices on a network to diagnose communication issues and send error reports. The use of ICMP is not a novel technique, but PingPull makes detection harder “as few organizations implement inspection of ICMP traffic on their networks,” the researchers wrote.

It’s not clear in how many of the observed campaigns PingPull was used, but the researchers observed the group hitting targets in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam, they said.

There are also PingPull variants that rely on different protocols for command and control operations, including HTTP(S), which relates to the ways data travels between a web browser and a website, and the Transmission Control Protocol or TCP, which enables programs and devices to exchange messages over a network.

Regardless of the variant, the malware mimics legitimate computer operations to try and blend into normal activity. The malware can perform a variety of activities once inside a system, such as reading, writing and deleting files and copying and moving files, the researchers wrote.

“GALLIUM remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa,” the researchers wrote.

Researchers ID new RAT developed by Chinese hacking group with growing target list

More Like This

‘Large volume’ of data stolen from UN agency after ransomware attack

Decade-old malware haunts Ukrainian police

FBI director warns of China’s preparations for disruptive infrastructure attacks

Top Stories

Treasury official: Small financial institutions have ‘growth to do’ in using AI against threats

More Scoops

Stealthy hacks show advancements in China’s cyberespionage operations, researchers say

This China-linked espionage group keeps trying to hack the Cambodian government

A Chinese hacking group breached a telecom to monitor targets’ texts, phone metadata

APT groups are exploiting outdated VPNs to spy on international targets, U.K. and U.S. warn

Chinese-linked hacking group gets crafty to avoid detection

Symantec finds that a ‘new’ Chinese hacking group has actually been around for a decade

Researchers suggest Gorgon Group behind hacking spree that abused Bit.ly and Blogspot functionalities

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics