New Linux Malware Variants Used by Chinese Hackers for Spying
Alloy Taurus, a Chinese nation-state group that has been known for targeting telecom companies since 2012, has been found to be using a Linux variant of a backdoor called PingPull and an undocumented tool called Sword2033.
The group had previously targeted telecom companies, has expanded its cyber espionage efforts to include government entities and financial institutions. The group is now utilizing a Linux version of the PingPull backdoor, a remote access trojan that relies on Internet Control Message Protocol (ICMP) for command-and-control (C2) communications.
Palo Alto Networks Unit 42 recently discovered the Linux variant, and in the process detected malicious cyber activity by the group against South Africa and Nepal. The group, which is also known as Granite Typhoon and was previously part of the Soft Cell operation that targeted Middle Eastern telecom providers, employs yrhsywu2009.zapto[.]org on port 8443 for C2 communications.
It is worth noting that PingPull’s analysis of the C2 instructions closely resembles that of China Chopper, a common web shell employed by Chinese threat actors. This indicates that the attacker may be adapting pre-existing source code to create their own customized tools. Additionally, a thorough investigation of the domain in question has uncovered another ELF artifact, Sword2033, which possesses three fundamental capabilities: uploading and extracting files to and from the system, as well as executing commands.
The malware’s link to Alloy Taurus comes from its association with an active Indicator of Compromise (IoC) in a 2021 campaign against companies in Southeast Asia, Europe, and Africa.
Unit 42 warns that the group’s targeting of South Africa, particularly during its joint naval exercise with Russia and China, shows that they remain a significant threat to telecommunications, finance, and government organizations in these regions. The discovery of a Linux variant of PingPull malware and the use of Sword2033 backdoor indicate that they continue to evolve their operations for espionage purposes.
To effectively combat this sophisticated threat, organizations must implement a comprehensive security strategy rather than relying solely on static detection methods.