PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since at least June 2022. PingPull has been used to target telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols||
A PingPull variant can communicate with its C2 servers by using HTTPS.
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell||
PingPull can use
|Enterprise||T1543||.003||Create or Modify System Process: Windows Service|
|Enterprise||T1132||.001||Data Encoding: Standard Encoding|
|Enterprise||T1005||Data from Local System|
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
PingPull can decrypt received data from its C2 server by using AES.
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography||
PingPull can use AES, in cipher block chaining (CBC) mode padded with PKCS5, to encrypt C2 server communications.
|Enterprise||T1041||Exfiltration Over C2 Channel||
PingPull has the ability to exfiltrate stolen victim data through its C2 channel.
|Enterprise||T1083||File and Directory Discovery||
PingPull can enumerate storage volumes and folder contents of a compromised host.
|Enterprise||T1070||.006||Indicator Removal: Timestomp|
|Enterprise||T1036||.004||Masquerading: Masquerade Task or Service||
PingPull can mimic the names and descriptions of legitimate services such as
|Enterprise||T1095||Non-Application Layer Protocol||
PingPull variants have the ability to communicate with C2 servers using ICMP or TCP.
|Enterprise||T1082||System Information Discovery||
PingPull can retrieve the hostname of a compromised host.
|Enterprise||T1016||System Network Configuration Discovery||
PingPull can retrieve the IP address of a compromised host.