Alloy Taurus, a Chinese nation-state group notorious for attacking telecom companies since 2012, has been spotted using a Linux variation of the backdoor PingPull and a new unnamed tool called Sword2033. Palo Alto Networks Unit 42 discovered these malicious activities recently, targeting South Africa and Nepal. These attacks also include financial institutions and government entities.
PingPull is a remote access trojan that uses the Internet Control Message Protocol (ICMP) for command-and-control communications. The Linux flavor of the malware was uploaded to VirusTotal on March 7, 2023, and functions similarly to its Windows counterpart. It can carry out file operations and run arbitrary commands by transmitting an uppercase character between A and K, and M from the C2 server. PingPull’s parsing of the C2 instructions is similar to that of China Chopper, a web shell widely used by Chinese threat actors, indicating that the threat actor is repurposing existing source code to create custom tools.
The existence of a new ELF artifact known as Sword2033 has been discovered upon closer examination of the domain yrhsywu2009.zapto[.]org, which is associated with Alloy Taurus. Sword2033 supports three basic functions, including uploading and exfiltrating files to and from the system and executing commands.
Unit 42 notes that the identification of the Linux variant of PingPull malware and the recent use of Sword2033 suggest that Alloy Taurus is continuously evolving its operations in support of its espionage activities. The targeting of South Africa is significant because the country held a joint 10-day naval drill with Russia and China earlier this year. Alloy Taurus remains an active threat to telecommunications, finance, and government organizations across Southeast Asia, Europe, and Africa.
