Alert - PingPull APT remote access tool

Number: AL22-009
Date: 13 June 2022

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Overview

On 13 June 2022, Palo Alto’s Unit 42 released a report on PingPull, a backdoor BackdoorAn undocumented, private, or less-detectable way of gaining remote access to a computer, bypassing authentication measures, and obtaining access to plaintext. malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. operated by a sophisticated actor.

Details

On 13 June 2022, Palo Alto Networks’ Unit 42 released a report ^{Footnote 1} detailing a new remote access tool (RAT), named PingPull, in use by an advanced persistent threat (APT) actor. This actor has been active since at least 2012, targeting telecommunications providers, financial institutions and government entities.

PINGPULL is a lightweight Internet Control Message Protocol (ICMP), Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) enabled backdoor that provides the threat actor with the ability to run commands and access a reverse shell on a compromised host.

Broadly, the implant possesses the following capabilities:

• List system drives and directories
• Copy, move, read, write, modify and delete files and directories
• Launch processes
• Encrypt communications

PingPull masquerades as the legitimate “iphlpsvc” service and connects to infrastructure using oddly configured certificates. ^{Footnote 1}

The Cyber Centre has received reports of this malware impacting organizations within Canada.

Recommended actions

To increase the defensive posture of critical networks and reduce the risk of infection, the Cyber Centre recommends organizations review and action the indicators of compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. included in the Palo Alto Networks’ Unit 42 report. ^{Footnote 1}

The Cyber Centre has not verified the technical details described in this disclosure and is providing this information as is for situational awareness and potential action. It is important that organizations verify the potential impact on business services and network environments before implementing any of the above recommended actions.

Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, contact the Cyber Centre by email (contact@cyber.gc.ca), or by telephone (1-833-CYBER-88) or (1-833-292-3788).