Linux Shift: Chinese APT Alloy Taurus Is Back With Retooling

After a brief hiatus, the Alloy Taurus APT (aka Gallium or Operation Soft Cell) is back on the scene, with a new Linux variant of its PingPull malware.

Alloy Taurus is a Chinese nation-state-affiliated threat actor, around since at least 2012 but only in the spotlight since 2019. It focuses on espionage, and is best known for targeting major telecommunications providers.

In a blog post last June, Palo Alto Networks' Unit 42 published details on the original, Windows version of PingPull. It was a Visual C++-based remote access Trojan (RAT), which enabled its proprietor to run commands and access a reverse shell on a compromised target computer.

Alloy Taurus took a hit in the second half of 2022, but now it's back in full. "They burned the Windows version of PingPull," explains Pete Renals, principal researcher at Unit 42, "and they've spun up a new capability that demonstrates some degree of expertise switching to a different variant."

The Linux variant largely overlaps with its Windows ancestor, allowing the attackers to list, read, write, copy, rename, and delete files, as well as run commands. Interestingly, PingPull also shares some functions, HTTP parameters, and command handlers with the China Chopper Web shell infamously deployed in the 2021 attacks against Microsoft Exchange Servers.

The Fall of Alloy Taurus

Alloy Taurus burst onto the scene in 2018–2019, with bold espionage campaigns against major telecommunications providers around the world. As Cybereason explained in its then-breaking blog post in June 2019, "the threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geolocation of users, and more."

Even when compared with other Chinese state-level APTs, it's "fairly mature and fairly serious," Renals assesses. "The ability to get into an AT&T or Verizon or Deutsche Telekom, lay low, and change router configs, requires a certain degree of expertise. That's not your junior varsity team in any way, shape, or form."

But Alloy Taurus wasn't invulnerable, as researchers recently discovered.

The group was flying high in late 2021 and early 2022, utilizing its PingPull Windows RAT in multiple campaigns, Unit 42 noted in its June blog post. It targeted telecoms but also military and government organizations, located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia and Vietnam.

Then, "only three to five days after we published in June, we watched them abandon all their infrastructure that was covered in the report," Renals says. "They changed everything to point to a specific government and Southeast Asia — so that all the beaconing implants and all the victims got redirected to another country — and they basically wiped their hands of all of it."

The Return of Alloy Taurus

Alloy Taurus hadn't disappeared entirely, but it had certainly retreated. "They were living off the land," Renals explains. "Some of the core upstream infrastructure remained open and running."

The victory was short-lived when, in December, researchers picked up on new signs of life. And in March, they captured a Linux sample of the old PingPull malware. "It shows a mature APT's capability to respond and adjust very quickly," Renals says.

That APTs can so effortlessly return in new forms presents a conundrum for cyber defenders. How does one protect against a group like Alloy Taurus today, if it can simply return wearing new makeup tomorrow?

"I think the days of tracking specific indicators of compromise (IoCs) are largely behind us," says Renals. "Now it's more about tracking the techniques and the tactics, and having the behavioral analytics to go detect that kind of activity. That's where we're shifting the endpoint, that's where we're shifting network security, as well."

Discovering the new PingPull, he believes, is a case in point for this better way of sussing out sophisticated APTs. "With the Linux variant, we initially may have triaged it as benign. And then we looked at it and said: 'Hey, wait a minute. This has very similar characteristics to something else that's malicious. Let's have a human go look at this.' So, having that capability is essential."