Researchers ID new RAT developed by Chinese hacking group with growing target list

The remote access trojan mimics legitimate computer activity to make it harder to detect, the researchers said.
Rosetta Bonatti/Getty Images

An established Chinese hacking group known for targeting telecommunications, finance and government organizations around the world has developed a “new, difficult-to-detect” remote access trojan it is using as part of its espionage activities, researchers with Palo Alto Networks’ Unit 42 said in research published Monday.

The researchers spotted the malware as part of their ongoing monitoring of a hacking group known as Gallium, a Chinese state-sponsored group active since at least 2012 according to Mitre, a nonprofit research organization funded by private grants and the U.S. government.

Gallium has extended its targeting beyond telecommunications over the last year, the Unit 42 researchers wrote, to include financial institutions and government entities.

The remote access trojan (RAT), dubbed “PingPull” by the researchers, can make it more difficult to detect its command and control communications in part by leveraging the ICMP protocol, typically used by devices on a network to diagnose communication issues and send error reports. The use of ICMP is not a novel technique, but PingPull makes detection harder “as few organizations implement inspection of ICMP traffic on their networks,” the researchers wrote.


It’s not clear in how many of the observed campaigns PingPull was used, but the researchers observed the group hitting targets in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam, they said.

There are also PingPull variants that rely on different protocols for command and control operations, including HTTP(S), which relates to the ways data travels between a web browser and a website, and the Transmission Control Protocol or TCP, which enables programs and devices to exchange messages over a network.

Regardless of the variant, the malware mimics legitimate computer operations to try and blend into normal activity. The malware can perform a variety of activities once inside a system, such as reading, writing and deleting files and copying and moving files, the researchers wrote.

“GALLIUM remains an active threat to telecommunications, finance and government organizations across Southeast Asia, Europe and Africa,” the researchers wrote.

Latest Podcasts