A Chinese-based threat group known as Gallium has been observed using a newly discovered Remote Access Trojan (RAT) in its espionage attacks. These attacks have targeted companies operating in Southeast Asia, Europe, and Africa.
This RAT, named PingPull, is notable for the fact that it can use the Internet Control Message Protocol (ICMP) to carry out its Command and Control (C2) activity. It does this by sending specially crafted ICMP Echo Request packets to the C2 server, which responds with Echo Reply packets to issue commands to the system. These packets use the same structure and contain a Base64 encoded and AES encrypted payload to send information back and forth. This difficult-to-detect methodology allows for the threat actors to more stealthily execute commands such as read or write files, list folder contents, run commands using cmd.exe, and so on.
Other variants of PingPull were also discovered that use more traditional RAT protocols, such as HTTPS and TCP. While the method of entry for these specific attacks are unknown, Gallium has been known to exploit internet-exposed applications to gain an initial foothold into their victims.