The group of Chinese nation-states was dubbed Taurus Alloy uses a Linux variant of the backdoor called PingPull as well as a new, undocumented tool codenamed Sword2033.
That’s according to findings from Palo Alto Networks Unit 42, which have found recent malicious cyber activity by groups targeting South Africa and Nepal.
Alloy Taurus is a constellation-themed moniker assigned to a threat actor known for his attacks targeting telecommunications companies since at least 2012. It is also being tracked by Microsoft as Granite Typhoon (formerly Gallium).
Last month, the adversary was linked to a campaign called Tainted Love targeting telecommunications providers in the Middle East as part of a wider operation known as Soft Cell.
The recent cyber espionage attacks carried out by Alloy Taurus have also expanded their victimization footprint to include financial institutions and government entities.
PingPull, first documented by Unit 42 in June 2022, is a remote access trojan that uses the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications.
The Linux flavor of the malware is similar in functionality to its Windows counterpart, allowing it to perform file operations and execute arbitrary commands by transmitting from the C2 server a single uppercase character between A and K, and M.
“After execution, this sample is configured to communicate with the domain yrhsywu2009.zapto(.)org via port 8443 for C2,” says Unit 42. “It uses the statically linked OpenSSL library (OpenSSL 0.9.8e) to interact with the domain over HTTPS .”
Interestingly, PingPull’s parsing of the C2 instruction reflects that of Chinese helicopterA web shell widely used by Chinese threat actors, indicating that threat actors reuse existing source code to design custom tools.
Closer inspection of the domain also reveals the presence of another ELF artifact (namely, Sword2033) that supports three basic functions, including uploading and exfiltrating files and executing commands.
The malware link to Alloy Taurus stems from the fact that the domain resolved to an IP address previously identified as an active compromise indicator (IoC) associated with previous campaigns targeting companies operating in Southeast Asia, Europe and Africa.
The targeting of South Africa, according to the cybersecurity firm, comes with the backdrop of a country holding a joint naval exercise for 10 days with Russia and China earlier this year.
“Taurus alloy remains an active threat to telecommunications, financial and government organizations across Southeast Asia, Europe and Africa,” Unit 42 said.
“The identification of the Linux variant of the PingPull malware, as well as the recent use of the Sword2033 backdoor, indicates that the group is continuously expanding their operations to support their espionage activities.”