Thursday, October 10, 2024
HomeHacksGALLIUM Hacking Group Attack Telecom Networks Using Publicly Available Hacking Tools &...

GALLIUM Hacking Group Attack Telecom Networks Using Publicly Available Hacking Tools & Exploiting Unpatched Vulnerabilities

Published on

Microsoft issued a warning about the new threat groups called GALLIUM that attack Telecommunication providers by exploiting the internet-facing services vulnerabilities in WildFly/JBoss.

Initially, Threat actors using publicly available exploits to attack the internet-facing services to gain persistence in the target network, later it using the common tools and techniques to steal the network credentials to move further deep into the network.

GALLIUM threat group activities observed between 2018 to mid-2019, and their activities are still being observed in wide, but activity levels have dropped when compared to the previous attacks.

- Advertisement - EHA

GALLIUM groups are widely known as using publicly available tools, and malware with the small modification to attack the target, and they are not attempting to obfuscate their malware or tools.

Tools and Malware used by GALLIUM

Microsoft observed the following tools and malware are mainly used by the GALLIUM threat group.

ToolPurpose
HTRANConnection bouncer to proxy connections.
MimikatzCredential dumper.
NBTScanScanner for open NETBIOS nameservers on a local or remote TCP/IP network.
NetcatReads from and writes to network connections using TCP or UDP protocols.
PsExecExecutes a command line process on a remote machine.
Windows Credential Editor (WCE)Credential dumper.
WinRARArchiving utility.
MalwareNotes
BlackMouldNative IIS version of the China Chopper web shell.
China ChopperCommonly used and widely shared web shell used by several threat actors. Not unique to GALLIUM.
Poison Ivy (modified)Poison Ivy is a widely shared remote access tool (RAT) first identified in 2005. While Poison Ivy is widely used, the variant GALLIUM has been observed using is a modified version which appears to be unique to GALLIUM.
QuarkBanditGh0st RAT variant with modified configuration options and encryption.

Exploiting the Telecom Network

Threat actors initially locate and exploit the unpatched internet-facing services such as web servers and gain network access.

Attacking the web server and compromising to gain access doesn’t require user interaction and these kinds of access can be obtained by the traditional phishing attack.

To explore the network, Once the compromising the web servers, they install the Web Shell along with additional tools.

There are some other varieties of tools used to perform reconnaissance, and those tools are most of the off-the-shelf tools or modified versions of known security tools.

GALLIUM also using stolen code signing certificates to sign the tools, Microsoft observed that they are using credential dumping tool signed by a stolen certificate from Whizzimo, LLC

To move further into the network, they rely on compromised domain credentials, which can be obtained by the several credential harvesting tools.

Once they successfully gained access with the stolen credentials, attacker threat actors using PsExec to Executes a command line process on a remote machine.

According to Microsoft research, GALLIUM has made use of a modified version of the widely available Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM’s toolkit for maintaining access to a victim network.

Microsoft listed some for best defenses practices for the enterprise network that helps security operations teams to take the appropriate mitigation steps.

Indicators of Compromise

IndicatorType
asyspy256[.]ddns[.]netDomain
hotkillmail9sddcc[.]ddns[.]netDomain
rosaf112[.]ddns[.]netDomain
cvdfhjh1231[.]myftp[.]bizDomain
sz2016rose[.]ddns[.]netDomain
dffwescwer4325[.]myftp[.]bizDomain
cvdfhjh1231[.]ddns[.]netDomain
9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06ddSha256
7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5bSha256
657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5Sha256
2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29Sha256
52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77Sha256
a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3Sha256
5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022Sha256
6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883Sha256
3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8eSha256
1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7Sha256
fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1Sha256
7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9cSha256
178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945Sha256
51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9Sha256
889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79Sha256
332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddfSha256
44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08Sha256
63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3efSha256
056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070Sha256
TrojanDropper:Win32/BlackMould.A!dhaSignature Name
Trojan:Win32/BlackMould.B!dhaSignature Name
Trojan:Win32/QuarkBandit.A!dhaSignature Name
Trojan:Win32/Sidelod.A!dhaSignature Name
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...