Number: AL22-009
Date: 13 June 2022
Audience
This Alert is intended for IT professionals and managers of notified organizations.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Overview
On 13 June 2022, Palo Alto’s Unit 42 released a report on PingPull, a backdoor malware operated by a sophisticated actor.
Details
On 13 June 2022, Palo Alto Networks’ Unit 42 released a report Footnote 1 detailing a new remote access tool (RAT), named PingPull, in use by an advanced persistent threat (APT) actor. This actor has been active since at least 2012, targeting telecommunications providers, financial institutions and government entities.
PINGPULL is a lightweight Internet Control Message Protocol (ICMP), Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) enabled backdoor that provides the threat actor with the ability to run commands and access a reverse shell on a compromised host.
Broadly, the implant possesses the following capabilities:
- List system drives and directories
- Copy, move, read, write, modify and delete files and directories
- Launch processes
- Encrypt communications
PingPull masquerades as the legitimate “iphlpsvc” service and connects to infrastructure using oddly configured certificates. Footnote 1
The Cyber Centre has received reports of this malware impacting organizations within Canada.
Recommended actions
To increase the defensive posture of critical networks and reduce the risk of infection, the Cyber Centre recommends organizations review and action the indicators of compromise included in the Palo Alto Networks’ Unit 42 report. Footnote 1
The Cyber Centre has not verified the technical details described in this disclosure and is providing this information as is for situational awareness and potential action. It is important that organizations verify the potential impact on business services and network environments before implementing any of the above recommended actions.
Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, contact the Cyber Centre by email (contact@cyber.gc.ca), or by telephone (1-833-CYBER-88) or (1-833-292-3788).