S1031 PingPull
PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.1
| Item | Value |
|---|---|
| ID | S1031 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 09 August 2022 |
| Last Modified | 24 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | A PingPull variant can communicate with its C2 servers by using HTTPS.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | PingPull can use cmd.exe to run various commands as a reverse shell.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | PingPull has the ability to install itself as a service.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | PingPull can encode C2 traffic with Base64.1 |
| enterprise | T1005 | Data from Local System | PingPull can collect data from a compromised host.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | PingPull can decrypt received data from its C2 server by using AES.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | PingPull can use AES, in cipher block chaining (CBC) mode padded with PKCS5, to encrypt C2 server communications.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | PingPull has the ability to exfiltrate stolen victim data through its C2 channel.1 |
| enterprise | T1083 | File and Directory Discovery | PingPull can enumerate storage volumes and folder contents of a compromised host.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.006 | Timestomp | PingPull has the ability to timestomp a file.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | PingPull can mimic the names and descriptions of legitimate services such as iphlpsvc, IP Helper, and Onedrive to evade detection.1 |
| enterprise | T1095 | Non-Application Layer Protocol | PingPull variants have the ability to communicate with C2 servers using ICMP or TCP.1 |
| enterprise | T1571 | Non-Standard Port | PingPull can use HTTPS over port 8080 for C2.1 |
| enterprise | T1082 | System Information Discovery | PingPull can retrieve the hostname of a compromised host.1 |
| enterprise | T1016 | System Network Configuration Discovery | PingPull can retrieve the IP address of a compromised host.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0093 | GALLIUM | 1 |