← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Chinese APT Gallium Leverages PingPull Backdoor to Access a Reverse Shell and Run Arbitrary Commands
WHITE Malware Advisory SVThreatIntel 2022-06-27 Modified: 2022-07-27
30
IOCs
MEDIUM VOLUME
Chinese APT Gallium has been observed using a previously undocumented RAT in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called PingPull, the backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for C2. Victims Gallium, a.k.a Soft Cell, is known for its attacks primarily aimed at telecom companies dating as far back as 2012. However, over the past year, the group is said to have expanded its victims to include financial institutions and government entities located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.
iocs samplespingpull c2MalwareChinese APTGallium
Indicators of Compromise (30)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 1a96767957e193c45b1bf642f3293350 MD5 of b4aabfb8f0327370ce80970c357b84782eaf0aabfc70f5e7340746f25252d541 2022-06-27
FileHash-MD5 7e01d776a0eb044a11bf91f3a68ce6f5 MD5 of fc2147ddd8613f08dd833b6966891de9e5309587a61e4b35408d56f43e72697e 2022-06-27
FileHash-MD5 83f860e22cadb5c3f247ad6dc834059a MD5 of c55ab8fdd060fb532c599ee6647d1d7b52a013e4d8d3223b361db86c1f43e845 2022-06-27
FileHash-MD5 9ad380e7b6d9c83b88ed1b307107912e MD5 of f86ebeb6b3c7f12ae98fe278df707d9ebdc17b19be0c773309f9af599243d0a3 2022-06-27
FileHash-MD5 b4dd22013aefae6f721f0b67be61dc91 MD5 of de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761 2022-06-27
FileHash-MD5 d58c5fe6a5b5b3d494bae50d1df310f5 MD5 of 8b664300fff1238d6c741ac17294d714098c5653c3ef992907fc498655ff7c20 2022-06-27
FileHash-MD5 e12c09cf7ec74e8dfa412f9fdc8e1ee3 MD5 of 1ce1eb64679689860a1eacb76def7c3e193504be53ebb0588cddcbde9d2b9fe6 2022-06-27
FileHash-SHA1 177f953496b10a4256431166c6247cc5a135e343 SHA1 of de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761 2022-06-27
FileHash-SHA1 241b74dee500d61bb10ccfca598979499e40fdff SHA1 of c55ab8fdd060fb532c599ee6647d1d7b52a013e4d8d3223b361db86c1f43e845 2022-06-27
FileHash-SHA1 5c37b9701a1944b5df6437f7a76097ee1392b1a7 SHA1 of 8b664300fff1238d6c741ac17294d714098c5653c3ef992907fc498655ff7c20 2022-06-27
FileHash-SHA1 6d4cc7f30e0a67432244d1a3bb7c058be7c1795f SHA1 of f86ebeb6b3c7f12ae98fe278df707d9ebdc17b19be0c773309f9af599243d0a3 2022-06-27
FileHash-SHA1 97713366202b6914e6defc4dfcbdff430785f407 SHA1 of b4aabfb8f0327370ce80970c357b84782eaf0aabfc70f5e7340746f25252d541 2022-06-27
FileHash-SHA1 98aa72ecd43556837f94208431cb710d7eb803e7 SHA1 of 1ce1eb64679689860a1eacb76def7c3e193504be53ebb0588cddcbde9d2b9fe6 2022-06-27
FileHash-SHA1 a121f00aba46b8c8db956756723f357e9eacb6cc SHA1 of fc2147ddd8613f08dd833b6966891de9e5309587a61e4b35408d56f43e72697e 2022-06-27
FileHash-SHA256 1ce1eb64679689860a1eacb76def7c3e193504be53ebb0588cddcbde9d2b9fe6 2022-06-27
FileHash-SHA256 8b664300fff1238d6c741ac17294d714098c5653c3ef992907fc498655ff7c20 2022-06-27
FileHash-SHA256 b4aabfb8f0327370ce80970c357b84782eaf0aabfc70f5e7340746f25252d541 2022-06-27
FileHash-SHA256 c55ab8fdd060fb532c599ee6647d1d7b52a013e4d8d3223b361db86c1f43e845 2022-06-27
FileHash-SHA256 de14f22c88e552b61c62ab28d27a617fb8c0737350ca7c631de5680850282761 2022-06-27
FileHash-SHA256 f86ebeb6b3c7f12ae98fe278df707d9ebdc17b19be0c773309f9af599243d0a3 2022-06-27
FileHash-SHA256 fc2147ddd8613f08dd833b6966891de9e5309587a61e4b35408d56f43e72697e 2022-06-27
domain hinitial.com 2022-06-27
domain micfkbeljacob.com 2022-06-27
hostname df.micfkbeljacob.com 2022-06-27
hostname jack.micfkbeljacob.com 2022-06-27
hostname t1.hinitial.com 2022-06-27
hostname v2.hinitial.com 2022-06-27
hostname v3.hinitial.com 2022-06-27
hostname v4.hinitial.com 2022-06-27
hostname v5.hinitial.com 2022-06-27
References (1)
↗ https://unit42.paloaltonetworks.com/pingpull-gallium/