Chinese threat actor Alloy Taurus has unleashed a new variant of PingPull malware to target Linux systems. The malware variant is being used along with another backdoor malware, called Sword2033, in a campaign targeting multiple entities in South Africa and Nepal.
PingPull for Linux
The Linux variant of PingPull is an ELF file that is currently being flagged as malicious by three out of 62 antivirus vendors.
- Upon execution, the malware variant uses the OpenSSL library and HTTP POST request to interact with C2 servers handled by attackers.
- It was found that the command handlers used in the malware align with China Chopper, a web shell that was used in attacks against Microsoft Exchange servers.
Researchers suggest that Alloy Taurus could be using code it is familiar with and integrating it into the development of custom tooling.
Sword2033 backdoor
Sword2033 is also an ELF file that was first observed in July 2022.
- Similar to the PingPull variant, the sample is designed to connect to port 8443 over HTTPS.
- It is capable of executing malicious code and downloading files from infected systems.
It is observed that Alloy Taurus often leverages legitimate products, such as SoftEther VPN, to bypass detection and maintain persistence on victims’ systems.
Conclusion
Alloy Taurus remains an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa. The discovery of the new PingPull Linux variant and the use of the Sword2033 backdoor suggests that the group is continuously evolving its operations to launch more espionage operations.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/285c_shutterstock_2160496255.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/2e32_shutterstock_1929117257.jpg)
