Threat Research

Chinese Alloy Taurus Updates PingPull Malware

Securonix

Unit 42 identified a new PingPull Linux variant used by Alloy Taurus, alongside a related backdoor dubbed Sword2033, expanding their Linux-focused espionage toolkit. The findings link these tools to Alloy Taurus’s C2 infrastructure and regional activity in South Africa and Nepal, highlighting continued evolution of their operations.

Keypoints

  • Discovery of a PingPull Linux variant (ELF) and a Sword2033 backdoor linked to Alloy Taurus’ C2 infrastructure.
  • The PingPull Linux variant uses HTTPS on port 8443 to communicate with yrhsywu2009.zapto[.]org and transmits Base64-encoded, AES-encrypted data.
  • Command handling in PingPull includes multiple file and system operations (A–K, M), echoing functionality seen in China Chopper.
  • Sword2033 is a simple backdoor, with commands to upload/download files and execute commands with a appended random number.
  • Infrastructure indicators show C2 domains and IPs tied to Alloy Taurus activity, including SoftEther VPN usage and impersonation signals related to South Africa/ Nepal operations.
  • Palo Alto Networks provides protections via WildFire, URL/DNS filtering, Cortex XDR, and incident response guidance.

MITRE Techniques

  • [T1071.001] Application Layer Protocol – PingPull Linux variant communicates with the C2 via HTTPS on port 8443, contacting the C2 domain. Quote: “communicate with the domain yrhsywu2009.zapto[.]org over port 8443 for C2.”
  • [T1027] Obfuscated/Encrypted Information – The payload data is Base64 encoded ciphertext, encrypted with AES using P29456789A1234sS as the key. Quote: “Base64 encoded ciphertext, encrypted with AES using P29456789A1234sS as the key.”
  • [T1059.004] Unix Shell – The PingPull command handler supports commands including a Run command function (M). Quote: “M Run command.”
  • [T1105] Ingress Tool Transfer – Sword2033 samples perform file transfers as part of their backdoor functionality. Quote: “Uploads a file to the system” and “Downloads a file from the system.”

Indicators of Compromise

  • [File Hash] PingPull Linux Variant – cb0922d8b130504bf9a3078743294791201789c5a3d7bc0369afd096ea15f0ae
  • [File Hash] Sword2033 – 5ba043c074818fdd06ae1d3939ddfe7d3d35bab5d53445bc1f2f689859a87507, e39b5c32ab255ad284ae6d4dae8b4888300d4b5df23157404d9c8be3f95b3253
  • [Domain] Alloy Taurus Infrastructure – yrhsywu2009.zapto[.]org, *.saspecialforces.co[.]za
  • [IP Address] – 5.181.25[.]99, 196.216.136[.]139
  • [DNS] – vpn729380678.softether[.]net

Read more: https://unit42.paloaltonetworks.com/alloy-taurus/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint