A Chinese-based threat group known as Gallium has been observed using a newly discovered Remote Access Trojan (RAT) in its espionage attacks. These attacks have targeted companies operating in Southeast Asia, Europe, and Africa.
This RAT, named PingPull, is notable for the fact that it can use the Internet Control Message Protocol (ICMP) to carry out its Command and Control (C2) activity. It does this by sending specially crafted ICMP Echo Request packets to the C2 server, which responds with Echo Reply packets to issue commands to the system. These packets use the same structure and contain a Base64 encoded and AES encrypted payload to send information back and forth. This difficult-to-detect methodology allows for the threat actors to more stealthily execute commands such as read or write files, list folder contents, run commands using cmd.exe, and so on.
Other variants of PingPull were also discovered that use more traditional RAT protocols, such as HTTPS and TCP. While the method of entry for these specific attacks are unknown, Gallium has been known to exploit internet-exposed applications to gain an initial foothold into their victims.
Analyst Notes
While ICMP tunneling can be difficult to detect, there are options to help prevent these attacks. Deep Packet Inspection can help find abnormal ICMP packets being sent across the network, and either alert or prevent them from being sent out. In most cases, ICMP packets’ size and behavior follow a very predictable pattern. This is not the case when ICMP tunneling is used, as packet sizes can vary wildly depending on the payload being sent and the frequency of sending becomes abnormal. This abnormal ICMP behavior exhibited by ICMP tunneling can then be alerted upon, based on these types of factors. Alternatively, ICMP can be blocked at the firewall level from leaving the network. While not all organizations may be able to do this due to network troubleshooting concerns, this can be a great way to prevent ICMP tunneling from being used as a C2 channel. The activity performed by the RAT can also be detected and alerted upon. Since the malware uses cmd.exe to execute most of its behavior, alerts can be written that look for abnormal process spawning and execution frequency to help uncover potentially infected systems. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
https://thehackernews.com/2022/06/chinese-gallium-hackers-using-new.html
https://unit42.paloaltonetworks.com/pingpull-gallium/#ICMP-Variant