Monday, June 17, 2024

Gallmaker Hacking Group Attack Government, Military, and Defense Sectors Using Publicly Available Hacking Tools

A new previously unknown hacking group appeared as Gallmaker attacking various public sectors such a  government, military, and defense using custom malware.

Attacker also using living off the land (LotL) tactics and publicly available hacking tools in order infiltrate the targeted network.

The term living off the land indicates that the attackers increasingly making use of pre-installed system tools on targeted computers or running simple scripts and shellcode directly in memory.

This helps attackers to evade the detection by traditional security software and the attacker work will hide in legitimate system administration work.

Attacker group Mainly targeting the Eastern European country and military and defense targets in the Middle East.

This groups actively attacking since December 2017 and researcher most recently observing this campaign in June 2018.

Attack Tactics – Gallmaker

Unlike other hacking groups, Gallmaker attackers actively observing the target system and using LotL tactics and publicly available hack tools.

The attacker’s group following various steps in order to gain the target system access then later they deploy the several hacking tools to perform further attacks.

Initially, attackers reach the target through spear-phishing email which contains an attached malicious documents that titles with the government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages.

Attackers created the document with an interesting file name “bg embassy list.docx” and   “ members list.docx” which is not much sophisticated but researchers believe its effective one to compromise the target.

Once the victims click and open the document, its force them to enable the content then it exploits the Microsoft Office Dynamic Data Exchange (DDE) protocol.

“If the user enables this content, the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim’s system”

Once the attackers gain access to the target victim device then they will execute the various different attacks using the following tools.

  • WindowsRoamingToolsTask: Used to schedule PowerShell scripts and tasks
  • A “reverse_tcp” payload from Metasploit – use obfuscated shellcode that is executed via PowerShell and download reverse shell.
  • WinZip console: This creates a task to execute commands and communicate with the command-and-control (C&C) server.
  • Rex PowerShell library – create and manipulate PowerShell scripts for use with Metasploit exploits

According to Symantec, Gallmaker is using three primary IP addresses for its C&C infrastructure to communicate with infected devices. There is also evidence that it is deleting some of its tools from victim machines once it is finished, to hide traces of its activity.

Related Read

A New Variant of Ursnif Banking Trojan Distributed Through Malicious Microsoft Word Documents

Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles