Microsoft issued a warning about the new threat groups called GALLIUM that attack Telecommunication providers by exploiting the internet-facing services vulnerabilities in WildFly/JBoss.
Initially, Threat actors using publicly available exploits to attack the internet-facing services to gain persistence in the target network, later it using the common tools and techniques to steal the network credentials to move further deep into the network.
GALLIUM threat group activities observed between 2018 to mid-2019, and their activities are still being observed in wide, but activity levels have dropped when compared to the previous attacks.
GALLIUM groups are widely known as using publicly available tools, and malware with the small modification to attack the target, and they are not attempting to obfuscate their malware or tools.
Tools and Malware used by GALLIUM
Microsoft observed the following tools and malware are mainly used by the GALLIUM threat group.
| Tool | Purpose |
| HTRAN | Connection bouncer to proxy connections. |
| Mimikatz | Credential dumper. |
| NBTScan | Scanner for open NETBIOS nameservers on a local or remote TCP/IP network. |
| Netcat | Reads from and writes to network connections using TCP or UDP protocols. |
| PsExec | Executes a command line process on a remote machine. |
| Windows Credential Editor (WCE) | Credential dumper. |
| WinRAR | Archiving utility. |
| Malware | Notes |
| BlackMould | Native IIS version of the China Chopper web shell. |
| China Chopper | Commonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM. |
| Poison Ivy (modified) | Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version which appears to be unique to GALLIUM. |
| QuarkBandit | Gh0st RAT variant with modified configuration options and encryption. |
Exploiting the Telecom Network
Threat actors initially locate and exploit the unpatched internet-facing services such as web servers and gain network access.
Attacking the web server and compromising to gain access doesn’t require user interaction and these kinds of access can be obtained by the traditional phishing attack.
To explore the network, Once the compromising the web servers, they install the Web Shell along with additional tools.
There are some other varieties of tools used to perform reconnaissance, and those tools are most of the off-the-shelf tools or modified versions of known security tools.
GALLIUM also using stolen code signing certificates to sign the tools, Microsoft observed that they are using credential dumping tool signed by a stolen certificate from Whizzimo, LLC,
To move further into the network, they rely on compromised domain credentials, which can be obtained by the several credential harvesting tools.
Once they successfully gained access with the stolen credentials, attacker threat actors using PsExec to Executes a command line process on a remote machine.
According to Microsoft research, GALLIUM has made use of a modified version of the widely available Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM’s toolkit for maintaining access to a victim network.
Microsoft listed some for best defenses practices for the enterprise network that helps security operations teams to take the appropriate mitigation steps.
Indicators of Compromise
| Indicator | Type |
| asyspy256[.]ddns[.]net | Domain |
| hotkillmail9sddcc[.]ddns[.]net | Domain |
| rosaf112[.]ddns[.]net | Domain |
| cvdfhjh1231[.]myftp[.]biz | Domain |
| sz2016rose[.]ddns[.]net | Domain |
| dffwescwer4325[.]myftp[.]biz | Domain |
| cvdfhjh1231[.]ddns[.]net | Domain |
| 9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd | Sha256 |
| 7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b | Sha256 |
| 657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5 | Sha256 |
| 2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29 | Sha256 |
| 52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77 | Sha256 |
| a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3 | Sha256 |
| 5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022 | Sha256 |
| 6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883 | Sha256 |
| 3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e | Sha256 |
| 1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7 | Sha256 |
| fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1 | Sha256 |
| 7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c | Sha256 |
| 178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945 | Sha256 |
| 51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9 | Sha256 |
| 889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79 | Sha256 |
| 332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf | Sha256 |
| 44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08 | Sha256 |
| 63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef | Sha256 |
| 056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070 | Sha256 |
| TrojanDropper:Win32/BlackMould.A!dha | Signature Name |
| Trojan:Win32/BlackMould.B!dha | Signature Name |
| Trojan:Win32/QuarkBandit.A!dha | Signature Name |
| Trojan:Win32/Sidelod.A!dha | Signature Name |
