GALLIUM

Microsoft issued a warning about the new threat groups called GALLIUM that attack Telecommunication providers by exploiting the internet-facing services vulnerabilities in WildFly/JBoss.

Initially, Threat actors using publicly available exploits to attack the internet-facing services to gain persistence in the target network, later it using the common tools and techniques to steal the network credentials to move further deep into the network.

GALLIUM threat group activities observed between 2018 to mid-2019, and their activities are still being observed in wide, but activity levels have dropped when compared to the previous attacks.

GALLIUM groups are widely known as using publicly available tools, and malware with the small modification to attack the target, and they are not attempting to obfuscate their malware or tools.

Tools and Malware used by GALLIUM

Microsoft observed the following tools and malware are mainly used by the GALLIUM threat group.

ToolPurpose
HTRANConnection bouncer to proxy connections.
MimikatzCredential dumper.
NBTScanScanner for open NETBIOS nameservers on a local or remote TCP/IP network.
NetcatReads from and writes to network connections using TCP or UDP protocols.
PsExecExecutes a command line process on a remote machine.
Windows Credential Editor (WCE)Credential dumper.
WinRARArchiving utility.
MalwareNotes
BlackMouldNative IIS version of the China Chopper web shell.
China ChopperCommonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM.
Poison Ivy (modified)Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version which appears to be unique to GALLIUM.
QuarkBanditGh0st RAT variant with modified configuration options and encryption.

Exploiting the Telecom Network

Threat actors initially locate and exploit the unpatched internet-facing services such as web servers and gain network access.

Attacking the web server and compromising to gain access doesn’t require user interaction and these kinds of access can be obtained by the traditional phishing attack.

To explore the network, Once the compromising the web servers, they install the Web Shell along with additional tools.

There are some other varieties of tools used to perform reconnaissance, and those tools are most of the off-the-shelf tools or modified versions of known security tools.

GALLIUM also using stolen code signing certificates to sign the tools, Microsoft observed that they are using credential dumping tool signed by a stolen certificate from Whizzimo, LLC

To move further into the network, they rely on compromised domain credentials, which can be obtained by the several credential harvesting tools.

Once they successfully gained access with the stolen credentials, attacker threat actors using PsExec to Executes a command line process on a remote machine.

According to Microsoft research, GALLIUM has made use of a modified version of the widely available Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM’s toolkit for maintaining access to a victim network.

Microsoft listed some for best defenses practices for the enterprise network that helps security operations teams to take the appropriate mitigation steps.

Indicators of Compromise

IndicatorType
asyspy256[.]ddns[.]netDomain
hotkillmail9sddcc[.]ddns[.]netDomain
rosaf112[.]ddns[.]netDomain
cvdfhjh1231[.]myftp[.]bizDomain
sz2016rose[.]ddns[.]netDomain
dffwescwer4325[.]myftp[.]bizDomain
cvdfhjh1231[.]ddns[.]netDomain
9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06ddSha256
7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5bSha256
657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5Sha256
2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29Sha256
52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77Sha256
a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3Sha256
5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022Sha256
6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883Sha256
3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8eSha256
1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7Sha256
fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1Sha256
7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9cSha256
178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945Sha256
51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9Sha256
889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79Sha256
332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddfSha256
44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08Sha256
63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3efSha256
056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070Sha256
TrojanDropper:Win32/BlackMould.A!dhaSignature Name
Trojan:Win32/BlackMould.B!dhaSignature Name
Trojan:Win32/QuarkBandit.A!dhaSignature Name
Trojan:Win32/Sidelod.A!dhaSignature Name

Leave a Reply