(Symantec) Symantec researchers have uncovered a previously unknown attack group that is targeting government and military targets, including several overseas embassies of an Eastern European country, and military and defense targets in the Middle East. This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign. The group, which we have given the name Gallmaker, has been operating since at least December 2017, with its most recent activity observed in June 2018.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2018-10-10 by Security Response Attack Investigation Team from Symantec
Actor: Gallmaker
Names: Gallmaker
Country: [Unknown]
Motivation: Information theft and espionage
First-seen: 2017
Description: (Symantec) Symantec researchers have uncovered a previously unknown attack group that is targeting government and military targets, including several overseas embassies of an Eastern European country, and military and defense targets in the Middle East. This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign. The group, which we have given the name Gallmaker, has been operating since at least December 2017, with its most recent activity observed in June 2018.
Observed-sectors: Defense
Observed-sectors: Embassies
Observed-sectors: Government
Observed-countries: Eastern Europe and Middle East
Tools: Living off the Land
Information: https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group
Mitre-attack: https://attack.mitre.org/groups/G0084/
Last-card-change: 2020-04-22
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1566.001 PHISHING : SPEARPHISHING ATTACHMENT gallmaker sent emails with malicious microsoft office documents attached. | T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL gallmaker used powershell to download additional payloads and for execution. T1559.002 INTER-PROCESS COMMUNICATION : DYNAMIC DATA EXCHANGE gallmaker attempted to exploit microsoft’s dde protocol in order to gain access to victim machines and for execution. T1204.002 USER EXECUTION : MALICIOUS FILE gallmaker sent victims a lure document with a warning that asked victims to "enable content" for execution. | T1560.001 ARCHIVE COLLECTED DATA : ARCHIVE VIA UTILITY gallmaker has used winzip, likely to archive data prior to exfiltration. |