2022-06-13 GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool

📃Title: GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool
📅Date: 2022-06-13
🔗References:

• https://unit42.paloaltonetworks.com/pingpull-gallium/

Description

Unit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.

Unit 42 actively monitors infrastructure associated with several APT groups. One group in particular, GALLIUM (also known as Softcell), established its reputation by targeting telecommunications companies operating in Southeast Asia, Europe and Africa. The group’s geographic targeting, sector-specific focus and technical proficiency, combined with their use of known Chinese threat actor malware and tactics, techniques and procedures (TTPs), has resulted in industry assessments that GALLIUM is likely a Chinese state-sponsored group.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: tool-profile
• target: targeted
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer Palo-Alto
• target-information=“Vietnam”
• target-information=“Russia”
• target-information=“Philippines”
• target-information=“Mozambique”
• target-information=“Malaysia”
• target-information=“Cambodia”
• target-information=“Belgium”
• target-information=“Australia”
• target-information=“Afghanistan”
• threat-actor GALLIUM
• malpedia=“PingPull”
• country=“china”
• mitre-attack-pattern=[‘T1095’, ‘T1553’, ‘T1059’, ‘T1140’, ‘T1102’, ‘T1560’]

MISP event uuid: 4e327b35-ae43-4963-bc9d-7c0370659ae5

Indicator of Compromise (IoCs)

type,value,comment
sha1, 76efd8ef3f64059820d937fa87acf9369775ecd5, 'No sample in VT\r\nLast check:23/02/2025'
domain, hinitial.com, ''
domain, micfkbeljacob.com, ''
hostname, df.micfkbeljacob.com, 'PingPull C2 Location'
hostname, jack.micfkbeljacob.com, ''
hostname, t1.hinitial.com, 'PingPull C2 Location'
hostname, v2.hinitial.com, ''
hostname, v3.hinitial.com, ''
hostname, v4.hinitial.com, ''
hostname, v5.hinitial.com, ''
ip-dst, 5.181.25.55, 'PingPull C2 Location'
ip-dst, 92.38.135.62, 'PingPull C2 Location'
ip-dst, 5.8.71.97, 'PingPull C2 Location'
hostname, goodjob36.publicvm.com, ''
hostname, goodluck23.jp.us, ''
hostname, helpinfo.publicvm.com, ''
hostname, mailedc.publicvm.com, ''
ip-dst, 101.36.102.34, ''
ip-dst, 101.36.102.93, ''
ip-dst, 101.36.114.167, ''
ip-dst, 101.36.123.191, ''
ip-dst, 103.116.47.65, ''
ip-dst, 103.179.188.93, ''
ip-dst, 103.22.183.131, ''
ip-dst, 103.22.183.138, ''
ip-dst, 103.22.183.141, ''
ip-dst, 103.22.183.146, ''
ip-dst, 103.51.145.143, ''
ip-dst, 103.61.139.71, ''
ip-dst, 103.61.139.72, ''
ip-dst, 103.61.139.75, ''
ip-dst, 103.61.139.78, ''
ip-dst, 103.61.139.79, ''
ip-dst, 103.78.242.62, ''
ip-dst, 118.193.56.130, ''
ip-dst, 118.193.62.232, ''
ip-dst, 123.58.196.208, ''
ip-dst, 123.58.198.205, ''
ip-dst, 123.58.203.19, ''
ip-dst, 128.14.232.56, ''
ip-dst, 152.32.165.70, ''
ip-dst, 152.32.203.199, ''
ip-dst, 152.32.221.222, ''
ip-dst, 152.32.245.157, ''
ip-dst, 154.222.238.50, ''
ip-dst, 154.222.238.51, ''
ip-dst, 165.154.52.41, ''
ip-dst, 165.154.70.51, ''
ip-dst, 167.88.182.166, ''
ip-dst, 176.113.71.62, ''
ip-dst, 2.58.242.230, ''
ip-dst, 2.58.242.231, ''
ip-dst, 2.58.242.235, ''
ip-dst, 202.87.223.27, ''
ip-dst, 212.115.54.54, ''
ip-dst, 37.61.229.104, ''
ip-dst, 45.116.13.153, ''
ip-dst, 45.128.221.61, ''
ip-dst, 45.128.221.66, ''
ip-dst, 45.136.187.98, ''
ip-dst, 45.14.66.230, ''
ip-dst, 45.154.14.132, ''
ip-dst, 45.154.14.164, ''
ip-dst, 45.154.14.188, ''
ip-dst, 45.154.14.254, ''
ip-dst, 45.251.241.74, ''
ip-dst, 45.251.241.82, ''
ip-dst, 45.76.113.163, ''
ip-dst, 47.254.192.79, ''
ip-dst, 92.223.30.232, ''
ip-dst, 92.223.30.52, ''
ip-dst, 92.223.90.174, ''
ip-dst, 92.223.93.148, ''
ip-dst, 92.223.93.222, ''
ip-dst, 92.38.139.170, ''
ip-dst, 92.38.149.101, ''
ip-dst, 92.38.149.241, ''
ip-dst, 92.38.171.127, ''
ip-dst, 92.38.176.47, ''
ip-dst, 107.150.127.124, ''
ip-dst, 118.193.56.131, ''
ip-dst, 176.113.71.168, ''
ip-dst, 185.239.227.12, ''
ip-dst, 194.29.100.173, ''
ip-dst, 2.58.242.236, ''
ip-dst, 45.128.221.182, ''
ip-dst, 45.154.14.191, ''
ip-dst, 47.254.250.117, ''
ip-dst, 79.133.124.88, ''
ip-dst, 103.137.185.249, ''
ip-dst, 103.61.139.74, ''
ip-dst, 107.150.112.211, ''
ip-dst, 107.150.127.140, ''
ip-dst, 146.185.218.65, ''
ip-dst, 152.32.221.242, ''
ip-dst, 165.154.70.62, ''
ip-dst, 176.113.68.12, ''
ip-dst, 185.101.139.176, ''
ip-dst, 188.241.250.152, ''
ip-dst, 188.241.250.153, ''
ip-dst, 193.187.117.144, ''
ip-dst, 196.46.190.27, ''
ip-dst, 2.58.242.229, ''
ip-dst, 2.58.242.232, ''
ip-dst, 37.61.229.106, ''
ip-dst, 45.128.221.172, ''
ip-dst, 45.128.221.186, ''
ip-dst, 45.128.221.229, ''
ip-dst, 45.134.169.147, ''
ip-dst, 103.170.132.199, ''
ip-dst, 107.150.110.233, ''
ip-dst, 152.32.255.145, ''
ip-dst, 167.88.182.107, ''
ip-dst, 185.239.226.203, ''
ip-dst, 185.239.227.34, ''
ip-dst, 45.128.221.169, ''
ip-dst, 45.136.187.41, ''
ip-dst, 137.220.55.38, ''
ip-dst, 45.133.238.234, ''
ip-dst, 103.192.226.43, ''
ip-dst, 92.38.149.88, ''
ip-dst, 5.188.33.237, ''
ip-dst, 146.185.218.176, ''
ip-dst, 43.254.218.104, ''
ip-dst, 43.254.218.57, ''
ip-dst, 43.254.218.98, ''
ip-dst, 92.223.59.84, ''
ip-dst, 43.254.218.43, ''
ip-dst, 81.28.13.48, ''
ip-dst, 89.43.107.191, ''
ip-dst, 103.123.134.145, ''
ip-dst, 103.123.134.161, ''
ip-dst, 103.123.134.165, ''
ip-dst, 103.85.24.81, ''
ip-dst, 212.115.54.241, ''
ip-dst, 43.254.218.114, ''
ip-dst, 89.43.107.190, ''
ip-dst, 103.123.134.139, ''
ip-dst, 103.123.134.240, ''
ip-dst, 103.85.24.121, ''
ip-dst, 103.169.91.93, ''
ip-dst, 103.169.91.94, ''
ip-dst, 45.121.50.230, ''

Full IOCs available in Rectifyq's MISP```