PingPull Malware
Security researchers with Palo Alto's Unit 42 discovered and analyzed a new strain of malware called PingPull. The new malware has RAT capabilities and is particularly difficult to detect.
PingPull is the newest tool in the arsenal of the GALLIUM advanced persistent threat actor, sometimes referred to as Softcell. Given the geolocation of entities targeted by GALLIUM and their mode of operation, as well as their use of malware and modes of operation already linked with known Chinese threat actors means that the GALLIUM outfit is very likely Chinese too and is sponsored by the state.
PingPull itself comes in three different variations that can use three different protocols to communicate with the malware's C2 servers, even if all three variants have the same capabilities.
The Trojan offers twelve different commands, using the cmd.exe Windows process as a reverse shell. Those commands include storage drive enumeration, all major operations with files, including conversion to hex, timestamping files and manipulating directories.
The malware can install a copy of itself as a service on the compromised machine, copying the description of the Iphlpsvc Windows service, in an attempt to dodge detection.
Communication between the trojan and its C2 infrastructure is encrypted using AES.