Alert - PingPull APT remote access tool

Number: AL22-009
Date: 13 June 2022

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Overview

On 13 June 2022, Palo Alto’s Unit 42 released a report on PingPull, a backdoor malware operated by a sophisticated actor.

Details

On 13 June 2022, Palo Alto Networks’ Unit 42 released a report Footnote 1 detailing a new remote access tool (RAT), named PingPull, in use by an advanced persistent threat (APT) actor. This actor has been active since at least 2012, targeting telecommunications providers, financial institutions and government entities.

PINGPULL is a lightweight Internet Control Message Protocol (ICMP), Hypertext Transfer Protocol (HTTP) and Transmission Control Protocol (TCP) enabled backdoor that provides the threat actor with the ability to run commands and access a reverse shell on a compromised host.

Broadly, the implant possesses the following capabilities:

  • List system drives and directories
  • Copy, move, read, write, modify and delete files and directories
  • Launch processes
  • Encrypt communications

PingPull masquerades as the legitimate “iphlpsvc” service and connects to infrastructure using oddly configured certificates. Footnote 1

The Cyber Centre has received reports of this malware impacting organizations within Canada.

Recommended actions

To increase the defensive posture of critical networks and reduce the risk of infection, the Cyber Centre recommends organizations review and action the indicators of compromise included in the Palo Alto Networks’ Unit 42 report. Footnote 1

The Cyber Centre has not verified the technical details described in this disclosure and is providing this information as is for situational awareness and potential action. It is important that organizations verify the potential impact on business services and network environments before implementing any of the above recommended actions.

Should activity matching the content of this Alert be discovered, recipients are encouraged to report via the My Cyber Portal, contact the Cyber Centre by email (contact@cyber.gc.ca), or by telephone (1-833-CYBER-88) or (1-833-292-3788).

Report a problem on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: