{ "type": "Domain", "indicator": "hinitial.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hinitial.com", "alexa": "http://www.alexa.com/siteinfo/hinitial.com", "indicator": "hinitial.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3446153809, "indicator": "hinitial.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "62a74fa1f6c0a26fb46daa71", "name": "GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool", "description": "Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.\n\nUnit 42 actively monitors infrastructure associated with several APT groups. One group in particular, GALLIUM (also known as Softcell), established its reputation by targeting telecommunications companies operating in Southeast Asia, Europe and Africa. The group\u2019s geographic targeting, sector-specific focus and technical proficiency, combined with their use of known Chinese threat actor malware and tactics, techniques and procedures (TTPs), has resulted in industry assessments that GALLIUM is likely a Chinese state-sponsored group.", "modified": "2022-07-13T00:02:33.637000", "created": "2022-06-13T14:54:24.884000", "tags": [ "GALLIUM", "Telecommunications", "Government", "PingPull", "APT" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "public": 1, "adversary": "", "targeted_countries": [ "Viet Nam", "Russian Federation", "Philippines", "Mozambique", "Malaysia", "Cambodia", "Belgium", "Australia", "Afghanistan" ], "malware_families": [ { "id": "PingPull", "display_name": "PingPull", "target": null } ], "attack_ids": [ { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Financial", "Telecommunication", "Finance", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 388, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386483, "modified_text": "1418 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64dd9c1d76a7807782a691d3", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.", "modified": "2024-02-14T21:44:02.852000", "created": "2023-08-17T04:03:41.985000", "tags": [ "o cloexec", "r procversion", "cachyos", "gnu ld", "gnu binutils", "microsoft", "f lockfd", "cygwin", "u respfd", "procselffd13", "procselffd14", "x8664", "uname", "linux", "getconf", "cpus32", "case", "m x8664", "s linux", "x8664 o", "z linux", "z x8664", "replying", "timing", "successfully", "shift", "procselffd16", "empty", "head", "dirty", "found", "splitting", "license", "index", "kill", "zfrm", "argv" ], "references": [ ".ICE-unix", ".org.chromium.Chromium.12ZdF3", ".vbox-mrkd-ipc", "@tmp", ".org.chromium.Chromium.T2jdbS", ".X11-unix", "albert_yt_ynb2tftv", "fish.root", "20230816_202710-scantemp.b14ff4bc3a", "plasma-csd-generator.LTvjbT", "pytest-of-mrkd", "runtime-root", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", ".org.chromium.Chromium.coQnti", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "bauh@mrkd", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", ".org.chromium.Chromium.8GBhMA", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", ".org.chromium.Chromium.HMzFxo", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "tmp.D4NXyZ3U4J", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "tmp.ziktUZeKXL", "v8-compile-cache-0", "tmp90lfbdek", "tst-bz26353KOtJVp", "v8-compile-cache-1000", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "stdbool.hcc0B2j.c", "strlcatmMvE1V.c", "qtsingleapp-Octopi-1d88-3e8-lockfile", "strlcpydb8x03.c", "stdbool.ht64kj6qw.c", "qtsingleapp-Octopi-1d88-3e8", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd" ], "public": 1, "adversary": "N/A", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BV:TelegramBot-A\\ [Trj]", "display_name": "BV:TelegramBot-A\\ [Trj]", "target": null }, { "id": "Ransom:Linux/DarkRadiation.A!MTB", "display_name": "Ransom:Linux/DarkRadiation.A!MTB", "target": "/malware/Ransom:Linux/DarkRadiation.A!MTB" }, { "id": "SLF:MamacseMacro.A", "display_name": "SLF:MamacseMacro.A", "target": null }, { "id": "TrojanDownloader:Linux/Morila!MTB", "display_name": "TrojanDownloader:Linux/Morila!MTB", "target": "/malware/TrojanDownloader:Linux/Morila!MTB" }, { "id": "Backdoor:Win32/R2d2.A", "display_name": "Backdoor:Win32/R2d2.A", "target": "/malware/Backdoor:Win32/R2d2.A" }, { "id": "Sf:ShellCode-DZ\\ [Trj]", "display_name": "Sf:ShellCode-DZ\\ [Trj]", "target": null }, { "id": "NETexecutableMicrosoft", "display_name": "NETexecutableMicrosoft", "target": null }, { "id": "TrojanDropper:Win32/FakeFlexnet.A", "display_name": "TrojanDropper:Win32/FakeFlexnet.A", "target": "/malware/TrojanDropper:Win32/FakeFlexnet.A" }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 206, "domain": 5129, "FileHash-MD5": 177, "FileHash-SHA1": 114, "URL": 646, "hostname": 2078, "CVE": 412, "email": 4 }, "indicator_count": 8766, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ffcf3ffe737f8cb8dfd", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "", "modified": "2023-12-06T16:23:24.919000", "created": "2023-12-06T16:23:24.919000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 103, "hostname": 524, "domain": 1292, "FileHash-SHA256": 95, "FileHash-MD5": 54, "FileHash-SHA1": 39, "URL": 169, "email": 1 }, "indicator_count": 2277, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "634e14f7aaa4a8076424d7dc", "name": "Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks", "description": "", "modified": "2022-10-18T02:52:39.208000", "created": "2022-10-18T02:52:39.208000", "tags": [ "pingpull", "icmp", "c2 server", "figure", "project", "post request", "unit", "http", "palo alto", "networks", "alliance", "wildfire" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/", "https://thehackernews.com/2022/06/chinese-gallium-hackers-using-new.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Viet Nam", "Russian Federation", "Philippines", "Mozambique", "Malaysia", "Cambodia", "Belgium", "Australia", "Afghanistan" ], "malware_families": [ { "id": "PingPull", "display_name": "PingPull", "target": null } ], "attack_ids": [ { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Financial", "Telecommunication", "Finance", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": "62a75f9dfc95304872ff1151", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fontwang1234", "id": "196068", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1321 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fc659fc5991685ecd91d88", "name": "Ping Pull Malware Detection: New Stealthy RAT Used by Gallium APT", "description": "", "modified": "2022-09-16T00:05:57.569000", "created": "2022-08-17T03:50:55.045000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "HemaTemenos", "id": "85330", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 1, "hostname": 5 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 89, "modified_text": "1353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62ba967d6a27d7ef57cee115", "name": "PingPull RAT: Propagation, Exploitation, and Indicators of Compromise", "description": "PingPull is a Remote Access Trojan (RAT) that has been recently used by a Chinese state-sponsored threat group, named Gallium.\n\nHow it Spreads\nGallium group has been observed using the PingPull RAT in their recent campaigns. Further, the RAT is described as particularly stealthy and used in espionage operations. It is used against financial and government entities in Europe, Africa, and Southeast Asia. PingPull RAT deploys a reverse shell on the targeted machine to execute remote commands.", "modified": "2022-07-28T00:02:14.384000", "created": "2022-06-28T05:49:49.236000", "tags": [ "pingpull c2", "locations", "Malware", "RAT" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "1403 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62b97f14ac76bbad1edce442", "name": "Chinese APT Gallium Leverages PingPull Backdoor to Access a Reverse Shell and Run Arbitrary Commands", "description": "Chinese APT Gallium has been observed using a previously undocumented RAT in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called PingPull, the backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for C2.\n\nVictims\nGallium, a.k.a Soft Cell, is known for its attacks primarily aimed at telecom companies dating as far back as 2012. However, over the past year, the group is said to have expanded its victims to include financial institutions and government entities located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.", "modified": "2022-07-27T00:02:05.219000", "created": "2022-06-27T09:57:40.569000", "tags": [ "iocs samples", "pingpull c2", "Malware", "Chinese APT", "Gallium" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "1404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a8198e871bb6052632841e", "name": "VTA - Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks", "description": "A Chinese advanced persistent threat (APT) known as \"Gallium\" has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called PingPull, the \"difficult-to-detect\" backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications. However, PingPull does not only use ICMP, but also HTTPS and TCP for the C2 communications. The malware is a Visual C++-based malware, where it provides a threat actor the ability to access a reverse shell and run arbitrary commands on a compromised host. This encompasses carrying out file operations, enumerating storage volumes, and timestomping\u00a0files. In all three variants, namely ICMP, HTTPS and TCP,\u00a0the malware installs itself as a service and has a description simulating a legitimate service, aiming to discourage users from terminating it.", "modified": "2022-07-14T00:05:09.745000", "created": "2022-06-14T05:15:58.431000", "tags": [ "pingpull", "icmp", "c2 server", "figure", "project", "post request", "unit", "http", "palo alto", "networks", "alliance", "wildfire" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/#PingPull-Malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 8, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "1417 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a8830d0d22993b931ab58e", "name": "GALLIUM", "description": "A search for the most popular domain name on the internet has been launched by the University of California, Los Angeles, to find out if it has any links to a particular website.. and its users", "modified": "2022-07-14T00:05:09.745000", "created": "2022-06-14T12:46:05.969000", "tags": [ "c2 locations", "addresses", "active" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1417 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a720482525ac5edc283064", "name": "GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool", "description": "A new, difficult-to-detect remote access trojan being used by an advanced persistent threat group is being developed by Palo Alto Networks Unit 42, a security firm based in Hong Kong.", "modified": "2022-07-13T00:02:33.637000", "created": "2022-06-13T11:32:24.536000", "tags": [ "pingpull", "fail", "icmp", "c2 server", "project", "figure", "post request", "http", "palo alto", "networks", "alliance", "wildfire" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "public": 1, "adversary": "", "targeted_countries": [ "Viet Nam", "Russian Federation", "Philippines", "Mozambique", "Malaysia", "Cambodia", "Belgium", "Australia", "Afghanistan" ], "malware_families": [ { "id": "PingPull", "display_name": "PingPull", "target": null } ], "attack_ids": [ { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Financial", "Telecommunication", "Finance", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "FileHash-SHA256": 7, "YARA": 1, "domain": 2, "hostname": 7 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 355, "modified_text": "1418 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a75f9dfc95304872ff1151", "name": "Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks", "description": "A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa.\n\nCalled PingPull, the \"difficult-to-detect\" backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications, according to new research published by Palo Alto Networks Unit 42 today.", "modified": "2022-07-13T00:02:33.637000", "created": "2022-06-13T16:02:37.188000", "tags": [ "pingpull", "icmp", "c2 server", "figure", "project", "post request", "unit", "http", "palo alto", "networks", "alliance", "wildfire" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/", "https://thehackernews.com/2022/06/chinese-gallium-hackers-using-new.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Viet Nam", "Russian Federation", "Philippines", "Mozambique", "Malaysia", "Cambodia", "Belgium", "Australia", "Afghanistan" ], "malware_families": [ { "id": "PingPull", "display_name": "PingPull", "target": null } ], "attack_ids": [ { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Financial", "Telecommunication", "Finance", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 280, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 433, "modified_text": "1418 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a7320e5e96cac86a265e78", "name": "GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool", "description": "PingPull was written in Visual C++ and provides a threat actor the ability to run commands and access a reverse shell on a compromised host. There are three variants of PingPull that are all functionally the same but use different protocols for communications with their C2: ICMP, HTTP(S) and raw TCP. In each of the variants, PingPull will create a custom string with the following structure that it will send to the C2 in all interactions.", "modified": "2022-06-13T12:48:14.307000", "created": "2022-06-13T12:48:14.307000", "tags": [], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/", "https://attack.mitre.org/groups/G0093/" ], "public": 1, "adversary": "GALLIUM", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RTTM_SOC", "id": "44503", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_44503/resized/80/avatar_a4129ae099.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "domain": 2, "hostname": 7 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 88, "modified_text": "1447 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", ".org.chromium.Chromium.T2jdbS", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", ".org.chromium.Chromium.HMzFxo", "https://thehackernews.com/2022/06/chinese-gallium-hackers-using-new.html", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "bauh@mrkd", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "https://attack.mitre.org/groups/G0093/", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "stdbool.ht64kj6qw.c", "v8-compile-cache-1000", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", ".org.chromium.Chromium.8GBhMA", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "albert_yt_ynb2tftv", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8", ".ICE-unix", ".X11-unix", "https://unit42.paloaltonetworks.com/pingpull-gallium/", "tmp90lfbdek", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "pytest-of-mrkd", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "v8-compile-cache-0", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "tmp.ziktUZeKXL", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "plasma-csd-generator.LTvjbT", ".vbox-mrkd-ipc", "qtsingleapp-Notifi-4c42-3e8-lockfile", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "tmp.D4NXyZ3U4J", "runtime-root", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", ".org.chromium.Chromium.coQnti", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "strlcpydb8x03.c", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "fish.root", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "strlcatmMvE1V.c", "https://unit42.paloaltonetworks.com/pingpull-gallium/#PingPull-Malware", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "20230816_202710-scantemp.b14ff4bc3a", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "@tmp", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "qtsingleapp-Octopi-1d88-3e8-lockfile", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "stdbool.hcc0B2j.c", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "tst-bz26353KOtJVp", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "qtsingleapp-Octopi-1d88-3e8", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", ".org.chromium.Chromium.12ZdF3", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", ".X0-lock", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Pingpull" ], "industries": [ "Government", "Financial", "Finance", "Telecommunications", "Telecommunication" ] }, "other": { "adversary": [ "N/A", "Malware Advisory", "GALLIUM" ], "malware_families": [ "Sf:shellcode-dz\\ [trj]", "Delphi", "Bv:telegrambot-a\\ [trj]", "Netexecutablemicrosoft", "Trojandownloader:linux/morila!mtb", "Slf:mamacsemacro.a", "Backdoor:win32/r2d2.a", "Pingpull", "Trojandropper:win32/fakeflexnet.a", "Ransom:linux/darkradiation.a!mtb" ], "industries": [ "Government", "Financial", "Finance", "Telecommunications", "Telecommunication", "Individuals" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "62a74fa1f6c0a26fb46daa71", "name": "GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool", "description": "Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.\n\nUnit 42 actively monitors infrastructure associated with several APT groups. One group in particular, GALLIUM (also known as Softcell), established its reputation by targeting telecommunications companies operating in Southeast Asia, Europe and Africa. The group\u2019s geographic targeting, sector-specific focus and technical proficiency, combined with their use of known Chinese threat actor malware and tactics, techniques and procedures (TTPs), has resulted in industry assessments that GALLIUM is likely a Chinese state-sponsored group.", "modified": "2022-07-13T00:02:33.637000", "created": "2022-06-13T14:54:24.884000", "tags": [ "GALLIUM", "Telecommunications", "Government", "PingPull", "APT" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "public": 1, "adversary": "", "targeted_countries": [ "Viet Nam", "Russian Federation", "Philippines", "Mozambique", "Malaysia", "Cambodia", "Belgium", "Australia", "Afghanistan" ], "malware_families": [ { "id": "PingPull", "display_name": "PingPull", "target": null } ], "attack_ids": [ { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Financial", "Telecommunication", "Finance", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 388, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386483, "modified_text": "1418 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64dd9c1d76a7807782a691d3", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "I had wrapped the majority of the files i'd run since the 14th into the Pulse of the same date, but at over 17k indicators i think it was time to put that one to rest. Obviously time and life allowing my intention is to keep updating and creating more of these as long as i'm kept flush with content. At current i'm pretty damned flush. This is just a preliminary dump of my /tmp folder on Arch. part of the infection chain is process hallowing and then hijacking a program close to the user, with decent call ability to the rest of the system.", "modified": "2024-02-14T21:44:02.852000", "created": "2023-08-17T04:03:41.985000", "tags": [ "o cloexec", "r procversion", "cachyos", "gnu ld", "gnu binutils", "microsoft", "f lockfd", "cygwin", "u respfd", "procselffd13", "procselffd14", "x8664", "uname", "linux", "getconf", "cpus32", "case", "m x8664", "s linux", "x8664 o", "z linux", "z x8664", "replying", "timing", "successfully", "shift", "procselffd16", "empty", "head", "dirty", "found", "splitting", "license", "index", "kill", "zfrm", "argv" ], "references": [ ".ICE-unix", ".org.chromium.Chromium.12ZdF3", ".vbox-mrkd-ipc", "@tmp", ".org.chromium.Chromium.T2jdbS", ".X11-unix", "albert_yt_ynb2tftv", "fish.root", "20230816_202710-scantemp.b14ff4bc3a", "plasma-csd-generator.LTvjbT", "pytest-of-mrkd", "runtime-root", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-ananicy-cpp.service-U5RKxp", ".org.chromium.Chromium.coQnti", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-bluetooth.service-7fh2tg", "bauh@mrkd", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-iwd.service-jnpcHR", ".org.chromium.Chromium.8GBhMA", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-polkit.service-CfCUQZ", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-systemd-logind.service-Q9OYbj", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-power-profiles-daemon.service-hSCDr7", ".org.chromium.Chromium.HMzFxo", "Temp-0c3dc677-7d66-4234-b14e-f604605b2d0c", "tmp.D4NXyZ3U4J", "systemd-private-28f1c54986a24a4fa12e1cfe0bb09aa0-uksmd.service-oAjI9s", "Temp-0148ee46-b3e0-4c4b-aa55-b60c6b63eb6f", "tmp.ziktUZeKXL", "v8-compile-cache-0", "tmp90lfbdek", "tst-bz26353KOtJVp", "v8-compile-cache-1000", ".X0-lock", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.xtrace.log", "Temp-4d7e99a7-2d45-4347-a3b6-b64e3ae65e2e", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.6339.1692232717.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.10291.1692217508.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.9950.1692233029.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.11270.1692217597.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.8928.1692232861.2.daemon.log", "gitstatus.POWERLEVEL9K.1000.10858.1692217566.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.11926.1692233325.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12928.1692233448.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.10525.1692233087.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13309.1692233456.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.28823.1692223670.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.12470.1692233381.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.23930.1692220492.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.13878.1692218150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.28463.1692223667.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.75659.1692225165.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.81737.1692225737.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.78332.1692225277.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.82565.1692225764.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.82162.1692225750.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83486.1692225808.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.83038.1692225779.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84305.1692225848.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.84754.1692225891.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.122089.1692235219.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.83896.1692225820.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.154521.1692237692.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.155609.1692237756.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.237594.1692238521.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240024.1692238828.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.241161.1692238939.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.240792.1692238921.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.237952.1692238535.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.247194.1692239163.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.248323.1692239206.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.253137.1692239505.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240121.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240136.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267109.1692240155.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.263981.1692240117.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240156.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.317097.1692240795.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.267442.1692240150.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.xtrace.log", "gitstatus.POWERLEVEL9K.1000.268412.1692240179.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.345673.1692241474.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.daemon.log", "qtsingleapp-Notifi-4c42-3e8", "gitstatus.POWERLEVEL9K.1000.2588447.1692243345.1.xtrace.log", "memmemY_2MMv.c", "gitstatus.POWERLEVEL9K.1000.2586196.1692243336.1.daemon.log", "gitstatus.POWERLEVEL9K.1000.2703415.1692243471.1.xtrace.log", "qtsingleapp-Notifi-4c42-3e8-lockfile", "stdbool.hcc0B2j.c", "strlcatmMvE1V.c", "qtsingleapp-Octopi-1d88-3e8-lockfile", "strlcpydb8x03.c", "stdbool.ht64kj6qw.c", "qtsingleapp-Octopi-1d88-3e8", "gitstatus.POWERLEVEL9K.1000.267442.1692240143.1.daemon.log", "https://hybrid-analysis.com/sample/43b03483bf2b292ebb1b33469ab4b19e2ac84b1c86c0f34f60adab4bc64176b9", "https://hybrid-analysis.com/sample/320a60044adeccec22937423e859d2b095e976698133e37a83e019ce08c8bc0c", "https://hybrid-analysis.com/file-collection/64dfee6a3329552c91026445", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca", "https://hybrid-analysis.com/sample/8c7c7246468ffeffe01617b597622cd237fa334fb24dc4977fcac398bbe0df80", "https://hybrid-analysis.com/sample/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/64dff1fbeab7dc252b0e56a6", "https://www.virustotal.com/gui/file/79e3317a07b12a977f7fda3463779055bbfec748e7fae4c2c1d1cb9bb8e408ca/details", "https://otx.alienvault.com/indicator/file/5820da0bbae4f091dc0248e566d8f1076fd81485d1893effa14cdc1dc122f1fd" ], "public": 1, "adversary": "N/A", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BV:TelegramBot-A\\ [Trj]", "display_name": "BV:TelegramBot-A\\ [Trj]", "target": null }, { "id": "Ransom:Linux/DarkRadiation.A!MTB", "display_name": "Ransom:Linux/DarkRadiation.A!MTB", "target": "/malware/Ransom:Linux/DarkRadiation.A!MTB" }, { "id": "SLF:MamacseMacro.A", "display_name": "SLF:MamacseMacro.A", "target": null }, { "id": "TrojanDownloader:Linux/Morila!MTB", "display_name": "TrojanDownloader:Linux/Morila!MTB", "target": "/malware/TrojanDownloader:Linux/Morila!MTB" }, { "id": "Backdoor:Win32/R2d2.A", "display_name": "Backdoor:Win32/R2d2.A", "target": "/malware/Backdoor:Win32/R2d2.A" }, { "id": "Sf:ShellCode-DZ\\ [Trj]", "display_name": "Sf:ShellCode-DZ\\ [Trj]", "target": null }, { "id": "NETexecutableMicrosoft", "display_name": "NETexecutableMicrosoft", "target": null }, { "id": "TrojanDropper:Win32/FakeFlexnet.A", "display_name": "TrojanDropper:Win32/FakeFlexnet.A", "target": "/malware/TrojanDropper:Win32/FakeFlexnet.A" }, { "id": "Delphi", "display_name": "Delphi", "target": null } ], "attack_ids": [], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 206, "domain": 5129, "FileHash-MD5": 177, "FileHash-SHA1": 114, "URL": 646, "hostname": 2078, "CVE": 412, "email": 4 }, "indicator_count": 8766, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65709ffcf3ffe737f8cb8dfd", "name": "IOC's found on my pesonal devices; week starting 08/14/23", "description": "", "modified": "2023-12-06T16:23:24.919000", "created": "2023-12-06T16:23:24.919000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 103, "hostname": 524, "domain": 1292, "FileHash-SHA256": 95, "FileHash-MD5": 54, "FileHash-SHA1": 39, "URL": 169, "email": 1 }, "indicator_count": 2277, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "634e14f7aaa4a8076424d7dc", "name": "Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks", "description": "", "modified": "2022-10-18T02:52:39.208000", "created": "2022-10-18T02:52:39.208000", "tags": [ "pingpull", "icmp", "c2 server", "figure", "project", "post request", "unit", "http", "palo alto", "networks", "alliance", "wildfire" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/", "https://thehackernews.com/2022/06/chinese-gallium-hackers-using-new.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Viet Nam", "Russian Federation", "Philippines", "Mozambique", "Malaysia", "Cambodia", "Belgium", "Australia", "Afghanistan" ], "malware_families": [ { "id": "PingPull", "display_name": "PingPull", "target": null } ], "attack_ids": [ { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Financial", "Telecommunication", "Finance", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": "62a75f9dfc95304872ff1151", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "fontwang1234", "id": "196068", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "1321 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62fc659fc5991685ecd91d88", "name": "Ping Pull Malware Detection: New Stealthy RAT Used by Gallium APT", "description": "", "modified": "2022-09-16T00:05:57.569000", "created": "2022-08-17T03:50:55.045000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "HemaTemenos", "id": "85330", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 8, "FileHash-SHA1": 8, "FileHash-SHA256": 8, "domain": 1, "hostname": 5 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 89, "modified_text": "1353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62ba967d6a27d7ef57cee115", "name": "PingPull RAT: Propagation, Exploitation, and Indicators of Compromise", "description": "PingPull is a Remote Access Trojan (RAT) that has been recently used by a Chinese state-sponsored threat group, named Gallium.\n\nHow it Spreads\nGallium group has been observed using the PingPull RAT in their recent campaigns. Further, the RAT is described as particularly stealthy and used in espionage operations. It is used against financial and government entities in Europe, Africa, and Southeast Asia. PingPull RAT deploys a reverse shell on the targeted machine to execute remote commands.", "modified": "2022-07-28T00:02:14.384000", "created": "2022-06-28T05:49:49.236000", "tags": [ "pingpull c2", "locations", "Malware", "RAT" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 190, "modified_text": "1403 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62b97f14ac76bbad1edce442", "name": "Chinese APT Gallium Leverages PingPull Backdoor to Access a Reverse Shell and Run Arbitrary Commands", "description": "Chinese APT Gallium has been observed using a previously undocumented RAT in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called PingPull, the backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for C2.\n\nVictims\nGallium, a.k.a Soft Cell, is known for its attacks primarily aimed at telecom companies dating as far back as 2012. However, over the past year, the group is said to have expanded its victims to include financial institutions and government entities located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.", "modified": "2022-07-27T00:02:05.219000", "created": "2022-06-27T09:57:40.569000", "tags": [ "iocs samples", "pingpull c2", "Malware", "Chinese APT", "Gallium" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "public": 1, "adversary": "Malware Advisory", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "1404 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a8198e871bb6052632841e", "name": "VTA - Chinese 'Gallium' Hackers Using New PingPull Malware in Cyberespionage Attacks", "description": "A Chinese advanced persistent threat (APT) known as \"Gallium\" has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called PingPull, the \"difficult-to-detect\" backdoor is notable for its use of the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications. However, PingPull does not only use ICMP, but also HTTPS and TCP for the C2 communications. The malware is a Visual C++-based malware, where it provides a threat actor the ability to access a reverse shell and run arbitrary commands on a compromised host. This encompasses carrying out file operations, enumerating storage volumes, and timestomping\u00a0files. In all three variants, namely ICMP, HTTPS and TCP,\u00a0the malware installs itself as a service and has a description simulating a legitimate service, aiming to discourage users from terminating it.", "modified": "2022-07-14T00:05:09.745000", "created": "2022-06-14T05:15:58.431000", "tags": [ "pingpull", "icmp", "c2 server", "figure", "project", "post request", "unit", "http", "palo alto", "networks", "alliance", "wildfire" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/#PingPull-Malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 8, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "1417 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a8830d0d22993b931ab58e", "name": "GALLIUM", "description": "A search for the most popular domain name on the internet has been launched by the University of California, Los Angeles, to find out if it has any links to a particular website.. and its users", "modified": "2022-07-14T00:05:09.745000", "created": "2022-06-14T12:46:05.969000", "tags": [ "c2 locations", "addresses", "active" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 7, "FileHash-SHA256": 7, "domain": 2, "hostname": 7 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1417 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62a720482525ac5edc283064", "name": "GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool", "description": "A new, difficult-to-detect remote access trojan being used by an advanced persistent threat group is being developed by Palo Alto Networks Unit 42, a security firm based in Hong Kong.", "modified": "2022-07-13T00:02:33.637000", "created": "2022-06-13T11:32:24.536000", "tags": [ "pingpull", "fail", "icmp", "c2 server", "project", "figure", "post request", "http", "palo alto", "networks", "alliance", "wildfire" ], "references": [ "https://unit42.paloaltonetworks.com/pingpull-gallium/" ], "public": 1, "adversary": "", "targeted_countries": [ "Viet Nam", "Russian Federation", "Philippines", "Mozambique", "Malaysia", "Cambodia", "Belgium", "Australia", "Afghanistan" ], "malware_families": [ { "id": "PingPull", "display_name": "PingPull", "target": null } ], "attack_ids": [ { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [ "Financial", "Telecommunication", "Finance", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 7, "FileHash-SHA256": 7, "YARA": 1, "domain": 2, "hostname": 7 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 355, "modified_text": "1418 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hinitial.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hinitial.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780204109.7446043 }