New Linux Malware Variants Used by Chinese Hackers for Spying

New Linux Malware Variants Used by Chinese Hackers for Spying

아리 데니알
Published by: 아리 데니알 on 3월 29, 2024

Alloy Taurus, a Chinese nation-state group that has been known for targeting telecom companies since 2012, has been found to be using a Linux variant of a backdoor called PingPull and an undocumented tool called Sword2033.

The group had previously targeted telecom companies, has expanded its cyber espionage efforts to include government entities and financial institutions. The group is now utilizing a Linux version of the PingPull backdoor, a remote access trojan that relies on Internet Control Message Protocol (ICMP) for command-and-control (C2) communications.

Palo Alto Networks Unit 42 recently discovered the Linux variant, and in the process detected malicious cyber activity by the group against South Africa and Nepal. The group, which is also known as Granite Typhoon and was previously part of the Soft Cell operation that targeted Middle Eastern telecom providers, employs yrhsywu2009.zapto[.]org on port 8443 for C2 communications.

It is worth noting that PingPull’s analysis of the C2 instructions closely resembles that of China Chopper, a common web shell employed by Chinese threat actors. This indicates that the attacker may be adapting pre-existing source code to create their own customized tools. Additionally, a thorough investigation of the domain in question has uncovered another ELF artifact, Sword2033, which possesses three fundamental capabilities: uploading and extracting files to and from the system, as well as executing commands.

The malware’s link to Alloy Taurus comes from its association with an active Indicator of Compromise (IoC) in a 2021 campaign against companies in Southeast Asia, Europe, and Africa.

Unit 42 warns that the group’s targeting of South Africa, particularly during its joint naval exercise with Russia and China, shows that they remain a significant threat to telecommunications, finance, and government organizations in these regions. The discovery of a Linux variant of PingPull malware and the use of Sword2033 backdoor indicate that they continue to evolve their operations for espionage purposes.

To effectively combat this sophisticated threat, organizations must implement a comprehensive security strategy rather than relying solely on static detection methods.

이 기사가 마음에 드셨나요? 평가해 주세요!
정말 싫습니다 별로 좋아하지 않습니다 괜찮습니다 꽤 좋습니다! 정말 좋습니다!
5.00 1명의 사용자가 투표
제목
코멘트
피드백을 주셔서 감사합니다