![]() Of note, the HTTP parameters z0, z1 and z2 and command handlers A-K, M also align to commands A-K, M observed in the web shell China Chopper. Timestomp file with specified timestamp in " %04d-%d-%d %d:%d:%d" format The command handler supports the following functionality that aligns with both China Chopper capabilities and those observed in the PingPull Windows PE variant: Cmd The values in the z0, z1 and z2 parameters are used for the arguments passed to the command.Īfter running the command, the payload will send the results back to the C2 server via an HTTPS request that resembles the beacon request, but contains Base64 encoded ciphertext. The value in the P29456789A1234sS parameter will contain a single upper case character between A and K, as well as M, which the payload will use as the command value. Once decoded, the cleartext resembles HTTP parameters and the payload will parse the cleartext for & and = with the following parameters: Figure 2. This is the same key that we previously observed in the original Windows PE variant of PingPull. The payload then expects the C2 server to respond with data that is Base64 encoded ciphertext, encrypted with AES using P29456789A1234sS as the key. It uses a statically linked OpenSSL (OpenSSL 0.9.8e) library to interact with the domain over HTTPS via the following HTTP POST request: Figure 1. Upon execution, this sample is configured to communicate with the domain yrhsywu2009.zaptoorg over port 8443 for C2. This determination was made based on matching HTTP communication structure, POST parameters, AES key, and C2 commands, which are outlined below. Despite a largely benign verdict, additional analysis has determined that this sample is a Linux variant of PingPull malware. On March 7, 2023, the following sample was uploaded to VirusTotal. Related Unit 42 TopicsĪlloy Taurus, PingPull, Advanced Persistent ThreatĪdditional Resources PingPull Linux Variant The Advanced URL Filtering and DNS Security Cloud-Delivered Security Services can help protect against C2 infrastructure. Palo Alto Networks customers receive protections from the threats described in this blog through Cortex XDR and WildFire malware analysis.
0 Comments
Leave a Reply. |