Skip to content

S1031 PingPull

PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.1

Item Value
ID S1031
Associated Names
Type MALWARE
Version 1.0
Created 09 August 2022
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols A PingPull variant can communicate with its C2 servers by using HTTPS.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell PingPull can use cmd.exe to run various commands as a reverse shell.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service PingPull has the ability to install itself as a service.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding PingPull can encode C2 traffic with Base64.1
enterprise T1005 Data from Local System PingPull can collect data from a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information PingPull can decrypt received data from its C2 server by using AES.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography PingPull can use AES, in cipher block chaining (CBC) mode padded with PKCS5, to encrypt C2 server communications.1
enterprise T1041 Exfiltration Over C2 Channel PingPull has the ability to exfiltrate stolen victim data through its C2 channel.1
enterprise T1083 File and Directory Discovery PingPull can enumerate storage volumes and folder contents of a compromised host.1
enterprise T1070 Indicator Removal -
enterprise T1070.006 Timestomp PingPull has the ability to timestomp a file.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service PingPull can mimic the names and descriptions of legitimate services such as iphlpsvc, IP Helper, and Onedrive to evade detection.1
enterprise T1095 Non-Application Layer Protocol PingPull variants have the ability to communicate with C2 servers using ICMP or TCP.1
enterprise T1571 Non-Standard Port PingPull can use HTTPS over port 8080 for C2.1
enterprise T1082 System Information Discovery PingPull can retrieve the hostname of a compromised host.1
enterprise T1016 System Network Configuration Discovery PingPull can retrieve the IP address of a compromised host.1

Groups That Use This Software

ID Name References
G0093 GALLIUM 1

References