HomeMiddle East & AfricaTelcos a PingPull away from Chinese RAT attack – Palo Alto

    Telcos a PingPull away from Chinese RAT attack – Palo Alto


    Security don’t spot the assimilated foreign agents

    A Chinese hacking group known for targeting mobile operators in Europe, the Middle East and Africa has developed a new, ‘difficult-to-detect’ remote access trojan (RAT). Now it’s using its expertise in protocol observation and assimilation for espionage activities, Palo Alto Networks’ Unit 42 said in research published this week.

    Telcos beware

    The researchers spotted the malware as they monitor the hacking group Gallium, a Chinese state-sponsored group of Cyber cynics that has been sinister since 2012 according to Mitre, a non-profit research organisation funded by private grants and the US government. Gallium has now extended its targeting beyond telecoms into financial institutions and government entities, the researchers said. So mobile network operators need to be aware they are the gateway to a massive state-sponsored hack attack, according to the researchers.


    The remote access trojan (RAT), dubbed “PingPull” by the researchers, disguises its command and control communications with the ICMP protocol, which is typically used by devices on a network to diagnose communication issues and send error reports. This is not a novel technique, but PingPull makes detection harder as few telcos inspect the ICMP traffic on their networks, the researchers say. Security experts observed the group hitting targets in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam.

    Blending in

    There are also PingPull variants that rely on different protocols for command and control operations, including HTTP(S), which relates to the ways data travels between a web browser and a website, and the Transmission Control Protocol or TCP, the protocol by which programmes and devices exchange messages over a network. Regardless of the variant, the malware mimics legitimate computer operations to try and blend into normal activity. The malware can perform a variety of activities once inside a system, such as reading, writing and deleting files and copying and moving files. “Gallium remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa,” the researchers said.