Gallmaker Hacking Group Attack Government, Military, and Defense Sectors Using Publicly Available Hacking Tools

A new previously unknown hacking group appeared as Gallmaker attacking various public sectors such a  government, military, and defense using custom malware.

Attacker also using living off the land (LotL) tactics and publicly available hacking tools in order infiltrate the targeted network.

The term living off the land indicates that the attackers increasingly making use of pre-installed system tools on targeted computers or running simple scripts and shellcode directly in memory.

This helps attackers to evade the detection by traditional security software and the attacker work will hide in legitimate system administration work.

Attacker group Mainly targeting the Eastern European country and military and defense targets in the Middle East.

This groups actively attacking since December 2017 and researcher most recently observing this campaign in June 2018.

Attack Tactics – Gallmaker

Unlike other hacking groups, Gallmaker attackers actively observing the target system and using LotL tactics and publicly available hack tools.

The attacker’s group following various steps in order to gain the target system access then later they deploy the several hacking tools to perform further attacks.

Initially, attackers reach the target through spear-phishing email which contains an attached malicious documents that titles with the government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages.

Attackers created the document with an interesting file name “bg embassy list.docx” and   “Navy.ro members list.docx” which is not much sophisticated but researchers believe its effective one to compromise the target.

Once the victims click and open the document, its force them to enable the content then it exploits the Microsoft Office Dynamic Data Exchange (DDE) protocol.

“If the user enables this content, the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim’s system”

Once the attackers gain access to the target victim device then they will execute the various different attacks using the following tools.

  • WindowsRoamingToolsTask: Used to schedule PowerShell scripts and tasks
  • A “reverse_tcp” payload from Metasploit – use obfuscated shellcode that is executed via PowerShell and download reverse shell.
  • WinZip console: This creates a task to execute commands and communicate with the command-and-control (C&C) server.
  • Rex PowerShell library – create and manipulate PowerShell scripts for use with Metasploit exploits

According to Symantec, Gallmaker is using three primary IP addresses for its C&C infrastructure to communicate with infected devices. There is also evidence that it is deleting some of its tools from victim machines once it is finished, to hide traces of its activity.

Related Read

A New Variant of Ursnif Banking Trojan Distributed Through Malicious Microsoft Word Documents

Ursnif Malware Variant Performs Malicious Process Injection in Memory using TLS Anti-Analysis Evasion Trick

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

12 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

12 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

15 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

18 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

19 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

19 hours ago