Palo Alto Networks Inc.’s Unit 42 today identified new, difficult-to-detect remote-access malware used by the Gallium advanced persistent threat group.

The Gallium APT group is believed to be a Chinese state-sponsored group and has a reputation for targeting telecommunications companies in Southeast Asia, Europe and Africa. In the last year, Gallium has expanded its targeting beyond telcos to include financial institutions and government entities.

The new trojan virus, dubbed “PingPull,” has the capability to leverage three protocols: ICMP, HTTP(S) and raw TCP for command and control. The three variants of PingPull create a custom string that it will send to the command-and-control server in all interactions to identify the compromised systems uniquely.

The use of ICMP in one variant is noted as a particular concern. ICMP tunneling is not a new technique, but the Unit 42 researchers note that few organizations inspect ICMP traffic on their networks, meaning that when Gallium compromises systems, the successful infiltration may not be detected.

On a successfully compromised system, PingPull has a range of demands that allows the hackers to steal data and cause issues. These include the ability to enumerate storage volumes, list folder contents, read, write and delete files, and several other options.

“You don’t have to be in the intelligence field to understand that U.S.-based financial institutions, government agencies and other critical private sector industries will get hit,” Omer Yaron, head of research at security posture management company Enso Security Ltd., told SiliconANGLE. “We know that this is where we are headed because attackers are using applications more and more to breach organizations. This is a global trend.”

Yaron added that an organization can no longer rely only on its current security tools and measures in place. “The relevant security team must have a true, deep familiarity of the organization’s application security environment to be able to answer the simple question: Have I been breached?” he said. “You must really understand your assets because the attacks are unique, dynamic and constantly changing,” Yaron added. “If you don’t have a good understanding of your organization’s application environment, you won’t even know where to look, which seems like a simple first step.”

The news of PingPull comes after the U.S. government warned on June 8 that Chinese hackers are targeting known vulnerabilities. The joint Cybersecurity Advisory from the National Security Agency, the Cybersecurity and Infrastructure Agency and the Federal Bureau of Investigation detailed how hackers target and compromise major telecommunications companies and network service providers.

Photo: Wikimedia Commons