Disclosures:
Professional Reviews

The reviews found on GuideHaven consist of evaluations conducted by community reviewers. These assessments take into account the reviewers’ unbiased and knowledgeable analysis of the products and services being reviewed.

Ownership

GuideHaven is a leading cybersecurity review website with a team of experts experienced in testing and evaluating VPNs, antiviruses, password managers, parental controls, and software tools. Our reviews are available in 29 languages, making them accessible to a broad audience since 2018. To further support our readers in their pursuit of online security, we’ve partnered with Kape Technologies PLC, which owns popular products like ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, all of which may be reviewed on our website.

Affiliate Commissions

GuideHaven contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest, and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Review Guidelines

The reviews published on GuideHaven are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional, and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

New Linux Malware Variants Used by Chinese Hackers for Spying

New Linux Malware Variants Used by Chinese Hackers for Spying

Ari Denial
Published by Ari Denial on April 28, 2024

Alloy Taurus, a Chinese nation-state group that has been known for targeting telecom companies since 2012, has been found to be using a Linux variant of a backdoor called PingPull and an undocumented tool called Sword2033.

The group had previously targeted telecom companies, has expanded its cyber espionage efforts to include government entities and financial institutions. The group is now utilizing a Linux version of the PingPull backdoor, a remote access trojan that relies on Internet Control Message Protocol (ICMP) for command-and-control (C2) communications.

Palo Alto Networks Unit 42 recently discovered the Linux variant, and in the process detected malicious cyber activity by the group against South Africa and Nepal. The group, which is also known as Granite Typhoon and was previously part of the Soft Cell operation that targeted Middle Eastern telecom providers, employs yrhsywu2009.zapto[.]org on port 8443 for C2 communications.

It is worth noting that PingPull’s analysis of the C2 instructions closely resembles that of China Chopper, a common web shell employed by Chinese threat actors. This indicates that the attacker may be adapting pre-existing source code to create their own customized tools. Additionally, a thorough investigation of the domain in question has uncovered another ELF artifact, Sword2033, which possesses three fundamental capabilities: uploading and extracting files to and from the system, as well as executing commands.

The malware’s link to Alloy Taurus comes from its association with an active Indicator of Compromise (IoC) in a 2021 campaign against companies in Southeast Asia, Europe, and Africa.

Unit 42 warns that the group’s targeting of South Africa, particularly during its joint naval exercise with Russia and China, shows that they remain a significant threat to telecommunications, finance, and government organizations in these regions. The discovery of a Linux variant of PingPull malware and the use of Sword2033 backdoor indicate that they continue to evolve their operations for espionage purposes.

To effectively combat this sophisticated threat, organizations must implement a comprehensive security strategy rather than relying solely on static detection methods.

Did you like this article? Rate it!
 
 
 
 
 
I hated it I don’t really like it It was ok Pretty good! Loved it!
5.00 Voted by 1 users
Title
Comment
Thanks for your feedback