PingPull
PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
PingPull can mimic the names and descriptions of legitimate services such as |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service | |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
PingPull can use AES, in cipher block chaining (CBC) mode padded with PKCS5, to encrypt C2 server communications.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
PingPull can decrypt received data from its C2 server by using AES.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
PingPull can use |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
A PingPull variant can communicate with its C2 servers by using HTTPS.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding | |
| Enterprise | T1083 | 文件和目录发现 |
PingPull can enumerate storage volumes and folder contents of a compromised host.[1] |
|
| Enterprise | T1070 | .006 | 移除指标: Timestomp | |
| Enterprise | T1082 | 系统信息发现 |
PingPull can retrieve the hostname of a compromised host.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
PingPull can retrieve the IP address of a compromised host.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
PingPull has the ability to exfiltrate stolen victim data through its C2 channel.[1] |
|
| Enterprise | T1095 | 非应用层协议 |
PingPull variants have the ability to communicate with C2 servers using ICMP or TCP.[1] |
|
| Enterprise | T1571 | 非标准端口 | ||