New Linux Malware Variants Used by Chinese Hackers for Spying - 1

New Linux Malware Variants Used by Chinese Hackers for Spying

  • Written by Ari Denial Cybersecurity & Tech Writer

Alloy Taurus, a Chinese nation-state group that has been known for targeting telecom companies since 2012, has been found to be using a Linux variant of a backdoor called PingPull and an undocumented tool called Sword2033.

The group had previously targeted telecom companies, has expanded its cyber espionage efforts to include government entities and financial institutions. The group is now utilizing a Linux version of the PingPull backdoor, a remote access trojan that relies on Internet Control Message Protocol (ICMP) for command-and-control (C2) communications.

Palo Alto Networks Unit 42 recently discovered the Linux variant, and in the process detected malicious cyber activity by the group against South Africa and Nepal. The group, which is also known as Granite Typhoon and was previously part of the Soft Cell operation that targeted Middle Eastern telecom providers, employs yrhsywu2009.zapto[.]org on port 8443 for C2 communications.

It is worth noting that PingPull’s analysis of the C2 instructions closely resembles that of China Chopper, a common web shell employed by Chinese threat actors. This indicates that the attacker may be adapting pre-existing source code to create their own customized tools. Additionally, a thorough investigation of the domain in question has uncovered another ELF artifact, Sword2033, which possesses three fundamental capabilities: uploading and extracting files to and from the system, as well as executing commands.

The malware’s link to Alloy Taurus comes from its association with an active Indicator of Compromise (IoC) in a 2021 campaign against companies in Southeast Asia, Europe, and Africa.

Unit 42 warns that the group’s targeting of South Africa, particularly during its joint naval exercise with Russia and China, shows that they remain a significant threat to telecommunications, finance, and government organizations in these regions. The discovery of a Linux variant of PingPull malware and the use of Sword2033 backdoor indicate that they continue to evolve their operations for espionage purposes.

To effectively combat this sophisticated threat, organizations must implement a comprehensive security strategy rather than relying solely on static detection methods.

KuCoin’s Twitter Account Breached, Used to Push Cryptocurrency Scam - 2

KuCoin’s Twitter Account Breached, Used to Push Cryptocurrency Scam

  • Written by Ari Denial Cybersecurity & Tech Writer

KuCoin, a popular cryptocurrency exchange, fell victim to a Twitter hack, which enabled scammers to carry out a fraudulent giveaway scheme that resulted in the theft of more than $22.6K worth of cryptocurrency.

However, KuCoin has taken full responsibility for the incident, pledging to compensate all affected users for verified losses. Additionally, KuCoin has assured its customers that their assets on the exchange remain entirely safe and secure.

KuCoin confirms 22 Bitcoin and Ethereum transactions, worth $22,600, were carried out by hackers during a 45-minute breach of its Twitter account. The scammers set up a fake giveaway campaign that looked like the exchange’s usual promotional events, leading some users to fall for it.

The website hosting the malicious giveaway claimed that even non-KuCoin users could participate by contributing any amount and earning double in return. The exchange is investigating the issue and blocking suspicious addresses to prevent further harm to users.

KuCoin urges users impacted by the recent Twitter hack to contact their support team and not respond to advice or suggestions from other sources, including Twitter’s fraudulent cryptocurrency support bots.

The exchange promises to implement new security measures to prevent such incidents from recurring and is working closely with Twitter to identify the attacker. Hackers have targeted cryptocurrency exchanges’ official Twitter accounts in the past to defraud users, as seen in the cases of Robinhood and CoinDCX.

Hackers breached KuCoin’s official Twitter account and tricked customers into participating in a false giveaway event, resulting in theft of funds on April 24. The exchange promised to compensate victims and vowed to implement improved security measures. Twitter is collaborating with the exchange to investigate the matter.