Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Gallmaker Attackers Living Off the Land, Symantec Finds

Gallmaker, a new state-sponsored threat group, eschews custom malware for legitimate hacking tools and techniques to run under the radar while attacking government and military organizations in eastern Europe and the Middle East, according to recent research from Symantec.

A previously unknown cybercriminal group is opting for known hacking tools and tactics rather than custom malware to evade detection by cybersecurity solutions as it targets government and military institutions in eastern Europe and the Middle East, according to researchers with Symantec.

The group, which the researchers have dubbed Gallmaker, uses what are known as living-off-the-land (LotL) tactics and publicly available hacking tools in its cyber-espionage campaigns, making it difficult to be detected once it's gained access to a victim's device mostly likely through an email spear-phishing effort.

Gallmaker has been operating since December 2017, with the activity continuing into this year, with a particular spike in April, the Symantec researchers wrote in a report earlier this month. Among the targets have been several embassies of a particular eastern European country located in different regions around the world. In addition, the apparent state-sponsored campaign also has taken aim at a Middle Eastern defense contractor and a military organization.

Given the targets, it doesn't appear that the campaign efforts are random or accidental, according to researchers. Instead, the victims are specifically chosen.

The Gallmaker attackers gain access to the victims' systems through spear-phishing emails that deliver malicious Office documents that use titles with government, military and diplomatic themes, according to Symantec. The emails are written in English or Cyrillic and while not sophisticated, "evidence of infections shows that they're effective. The attackers use filenames that would be of interest to a variety of targets in Eastern Europe," the researchers wrote. (See Kaspersky: Spear-Phishing Attacks Target 400 Industrial Companies.)

The malicious documents exploit the Microsoft Office Dynamic Data Exchange (DDE), which can legitimately be used to send messages between Microsoft applications to share data between Excel and Word, for example. Security researchers last year found it could be used by attackers to execute code on victims' machines and was exploited in several malware campaigns later in the year.

In December Microsoft issued an update disabling DDE in Word and Excel, but the victims in the Gallmaker campaign had not installed the patch, the Symantec analysts note.

After gaining access to a system, the attackers use such available tools as WindowsRoamingToolsTask aimed at PowerShell, a "reverse tco" payload from Metasploit that also leverages PowerShell and a legitimate version of the WinZip console.

Researchers also have found the Rex PowerShell library, which is available on GitHub, on victims' systems. The library can be used to create and manipulate PowerShell scripts so they can be used with Metasploit exploits. Gallmaker is using three IP addresses for its command-and-control (C&C) infrastructure and in an effort to avoid detection deletes some of its tools from those systems once the group is finished.

Jon DiMaggio, senior threat intelligence analyst at Symantec Security Response, told Security Now in an email that the use of LotL techniques is increasingly popular among cybercriminal groups in targeted attacks because "it makes it harder for defenders to identify and mitigate the activity."

"Often this activity will blend in with legitimate operational activity conducted by administrators," DiMaggio wrote. "In addition to having a multi-tiered defensive solution such as the use of firewalls, intrusion prevention systems and endpoint protection, defenders need to monitor and restrict the use of administrative tools on their networks. It is no longer enough to monitor nefarious traffic or wait for an alert based on malicious activity."

Symantec researchers were able to detect Gallmaker through the vendor's Targeted Attack Analytics (TAA) technology, which leverages artificial intelligence capabilities, to identify specific PowerShell commands used by the group as being suspicious, convincing them to further investigate, DiMaggio added. Otherwise, Gallmaker may have remained undetected.

"The use of LotL tactics on its own is not unique to only state-sponsored threats," DiMaggio said. "However, there has been a definite change in tactics and we are seeing an increase in adversaries using LotL as part of their attack. Since this makes it harder to defend against and identify, we anticipate this trend will continue. If defenders begin to identify and prevent this type of activity quicker and more efficiently, it would likely curve the trend, but at this stage it does not appear to be the case."

Security analysts need to also look at legitimate activity using administrative tools along with investigating malicious activity. Until then, bad actors will continue using LotL tactics, he added.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-06
The parse_report() function in whoopsie.c in Whoopsie through 0.2.69 mishandles memory allocation failures, which allows an attacker to cause a denial of service via a malformed crash file.
PUBLISHED: 2020-07-06
PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor.
PUBLISHED: 2020-07-06
It's possible to inject JavaScript code via the html method.
PUBLISHED: 2020-07-06
It's possible to use <<script>script> in order to go over the filtering regex.
PUBLISHED: 2020-07-06
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.