Threat Research

GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool

Securonix

Unit 42 identifies PingPull, a new remote access Trojan used by the GALLIUM group, expanding its targeting beyond telecommunications to financial institutions and government entities across multiple regions. PingPull supports three C2 channels (ICMP, HTTP(S), and raw TCP) and is linked to extensive GALLIUM infrastructure, including subdomains, questionable certificates, and a broad IP footprint. #PingPull #GALLIUM #Softcell #hinitial

Keypoints

  • PingPull is a newly identified remote access Trojan used by the GALLIUM (Softcell) group.
  • GALLIUM expanded its targeting from telecoms to financial institutions and government entities across Southeast Asia, Europe and Africa.
  • PingPull employs three C2 channels—ICMP, HTTPS, and raw TCP—to communicate with its C2 server.
  • The malware can install itself as a Windows service and masquerade as a legitimate IP Helper/service description.
  • PingPull’s command set includes enumerating drives, listing folders, reading/writing/deleting files, timestomping, and invoking a reverse shell via cmd.exe.
  • The infrastructure behind PingPull features hinitial[.]com subdomains, unusual X.509 certificates, and hundreds of IPs dating back to late 2020.
  • Palo Alto Networks products (Cortex XDR, WildFire, Threat Prevention, etc.) provide protections and detections for PingPull.

MITRE Techniques

  • [T1572] Protocol Tunneling – PingPull provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. ‘Provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS.’
  • [T1095] Non-Application Layer Protocol – PingPull uses ICMP for C2 communications. ‘PingPull would use ICMP for C2 communications.’
  • [T1071.001] Web Protocols – PingPull HTTPS variant communicates with its C2 server over HTTPS. ‘uses HTTPS requests to communicate with its C2 server.’
  • [T1059.003] Windows Command Shell – PingPull can run commands on cmd.exe that acts as a reverse shell. ‘the group has the ability to run commands on cmd.exe that acts as a reverse shell for the actor.’
  • [T1543.003] Create or Modify System Process: Windows Service – PingPull installs itself as a service with a description about tunneling and IPv6 transition technologies. ‘Provides tunnel connectivity using IPv6 transition technologies…’
  • [T1005] Data from Local System – PingPull can read local files, e.g., reading contents of C:test.txt. ‘read the contents of C:test.txt’
  • [T1083] File and Directory Discovery – PingPull can enumerate storage volumes and list folder contents. ‘Enumerate storage volumes (A: through Z:) … List folder contents’

Indicators of Compromise

  • [File Hash] PingPull sample hashes – de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761, b4aabfb8f0327370ce80970c357b84782eaf0aabfc70f5e7340746f25252d541, and 7 more hashes
  • [Domain] PingPull C2 domains – hinitial.com, t1.hinitial.com, goodjob36.publicvm.com, and 2 more domains
  • [IP Address] C2 infrastructure IPs – 92.38.135.62, 5.181.25.55, and many others
  • [File Name] PingPull samples – ServerMannger.exe, samp.exe
  • [X.509 Certificate] Suspicious certificate – SHA1 76efd8ef3f64059820d937fa87acf9369775ecd5 with common name ‘bbb’
  • [AES Key] Encryption keys used by PingPull – P29456789A1234sS, dC@133321Ikd!D^i

Read more: https://unit42.paloaltonetworks.com/pingpull-gallium/