Chinese hackers have employed new tactics to launch cyberattacks using harmful Linux programs. Among the weapons in the attackers’ arsenal is a new version of the Pingpull Trojan that is known as Sword2033 and had not been documented previously. Pingpull is a remote access Trojan that was first discovered by Unit 42 specialists last summer. It was used in a series of espionage attacks carried out by the Gallium Chinese group to target government and financial institutions in the Philippines, Russia, Belgium, Australia, Malaysia and Vietnam.
Researchers at Unit 42 continued to keep an eye on the espionage campaign and revealed that Pingpull was used in the group’s recent attacks. The hackers used a new variation of Pingpull for Linux, targeting organizations in South Africa and Nepal. This version of Pingpull, an ELF file, has been deemed malicious by just three of the 62 antivirus software providers. Experts discovered that it is a port of a well-known malware used for Windows.
They noticed similarities in the HTTP communication structure, POST parameters, AES key aid and C2 server commands. Unit 42 researchers have observed that the tools used in Pingpull match those used in another malware called China Chopper. China Chopper is a web shell that has been actively deployed to launch attacks on Microsoft Exchange servers.
Researchers at Unit 42 uncovered another weapon in Gallium’s munitions – the previously unknown Backdor Sword2033, which shares its C2 server with PingPull. This relatively basic tool’s functions include exfiltrating files and downloading files into a hacked system and executing arbitrary commands. The researchers discovered a second Sword2033 sample linked to a different C2 server. This Backdor was possibly attempting to impersonate the South African military based on the IP address of its remote server.
In conclusion, it should be noted that Gallium hackers continue to improve their attack techniques and expand the pool of their targets by utilizing new versions of PingPull for Linux and the Backdor Sword2023. Therefore, organizations should implement a comprehensive security strategy to counter the threats posed by this sophisticated group and not rely only on static detection methods.