One Article Review
Accueil - L'article:
Source Fortinet.webp Fortinet ThreatSignal
Identifiant 5135543
Date de publication 2022-06-13 12:40:35 (vue: 2022-06-13 20:07:03)
Titre PingPull RAT Activity Observed in New in the Wild Attacks (GALLIUM APT)
Texte FortiGuard Labs is aware of a newly discovered in-the-wild remote access tool (RAT) used by GALLIUM APT, called PingPull. GALLIUM has targeted telecommunication, financial and governmental verticals, specifically in Africa, Europe and Southeast Asia in the past.GALLIUM was first detailed by CyberReason and Microsoft in 2019 in an operation targeting telecom providers stealing call detail records (CDR) that contain transactional information of SMS messages, sent and received phone calls, timestamps and other records. GALLIUM uses various off the shelf tools, and modified open source tools and malware to attack organizations for various campaigns. PingPull was observed by Palo Alto Networks in this latest campaign. Usage of the China Chopper webshell is commonly associated with this APT group as well.Powered by the CTABecause of our partnership in the Cyber Threat Alliance alongside other trusted partner organizations, Fortinet customers were protected in advance of this announcement.What is PingPull?PingPull is a remote access trojan (RAT). What makes PingPull novel is the usage of ICMP (Internet Control Message Protocol) which is not a typical TCP/UDP packet, that allows the threat actor to evade detection as it is not often monitored for anomalous activity. PingPull can also leverage HTTPS and TCP as well for further evasion. PingPull has been observed to install itself as a service for persistence. Besides containing typical RAT functionality, PingPull allows for a reverse shell further adding insult to injury. Previous RATs used by GALLIUM were modified versions of Poison Ivy and Gh0st Rat.Who is GALLIUM?GALLIUM is an APT group attributed to the Chinese government. The modus operandi of this group is to use various off the shelf tools to eventually compromise an organization via the utilization of stolen certificates to ultimately perform lateral movement within. Due to non-standardized APT naming conventions, GALLIUM is also known as Operation Soft Cell (CyberReason).What is the Status of Coverage?FortiGuard customers are protected against PingPull RAT by the following (AV) signatures:W32/PossibleThreatW64/Agent.BGA!trAll known URIs are blocked by the WebFiltering Client.
Envoyé Oui
Condensat 2019 access activity actor adding advance africa against alliance allows alongside also alto announcement anomalous apt are asia associated attack attacks attributed aware been besides bga blocked call called calls campaign campaigns can cdr cell certificates china chinese chopper client commonly compromise contain containing control conventions coverage ctabecause customers cyber cyberreason detail detailed detection discovered due europe evade evasion eventually financial first following fortiguard fortinet functionality further gallium gh0st government governmental group has https icmp information injury install insult internet itself ivy known labs lateral latest leverage makes malware message messages microsoft modified modus monitored movement naming networks new newly non not novel observed off often open operandi operation organization organizations other packet palo partner partnership past perform persistence phone pingpull poison powered previous protected protocol providers rat rats received records remote reverse sent service shelf shell signatures:w32/possiblethreatw64/agent sms soft source southeast specifically standardized status stealing stolen targeted targeting tcp tcp/udp telecom telecommunication threat timestamps tool tools trall transactional trojan trusted typical ultimately uris usage use used uses utilization various versions verticals webfiltering webshell well what which who wild within
Tags Malware Tool Threat
Stories
Notes
Move


L'article ne semble pas avoir été repris aprés sa publication.


L'article ne semble pas avoir été repris sur un précédent.
My email: