Threat Management, Threat Intelligence, Incident Response, TDR

Gallmaker threat group evades detection by living off the land

A new threat group dubbed Gallmaker has been targeting overseas embassies of an Eastern European country, and military and defense targets in the Middle East eschewing malware and instead, opting to use living off the land (LotL) tactics to infiltrate systems.

Symantec researchers said the Gallmaker group has been operating since at least December 2018 with its most recent observed activity in June 2018, according to an Oct. 10 blog post.

The group’s activities appear to be highly targeted as all of its victims are related to government, military, or defense sectors and all of the embassies that have been targeted by the group all have the same home country.

Although researchers haven’t noted any obvious links between the threat group’s Eastern European and Middle Eastern targets, researchers said it’s unlikely the attacks are random or accidental.

Rather than use malware, the group uses publicly available hacking tools and takes a number of steps to gain access to a victim’s device while simultaneously covering their tracks.

To gain a foothold, the group delivers a malicious Office lure document, most likely via phishing email, which use titles with government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages.

These documents then attempt to exploit the Microsoft Office Dynamic Data Exchange (DDE) protocol in order to gain access to victim machines by asking the victim’s to “Enable Content” which if done, would allow attackers to use the DDE protocol to remotely execute commands in memory on the victim’s system.

Threat actors look to avoid detection by running solely in memory to avoid leaving artifacts on disks and their use of LotL tactics and publicly available tools make the group’s activities more elusive.

“Gallmaker is using three primary IP addresses for its C&C infrastructure to communicate with infected devices,” researchers said in the post. “There is also evidence that it is deleting some of its tools from victim machines once it is finished, to hide traces of its activity.”

Researchers said the group’s activity strongly suggest that it part of a cyberespionage campaign being carried out by a state-sponsored group.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.