Attacker also using living off the land (LotL) tactics and publicly available hacking tools in order infiltrate the targeted network.
The term living off the land indicates that the attackers increasingly making use of pre-installed system tools on targeted computers or running simple scripts and shellcode directly in memory.
This helps attackers to evade the detection by traditional security software and the attacker work will hide in legitimate system administration work.
Attacker group Mainly targeting the Eastern European country and military and defense targets in the Middle East.
This groups actively attacking since December 2017 and researcher most recently observing this campaign in June 2018.
Attack Tactics – Gallmaker
Unlike other hacking groups, Gallmaker attackers actively observing the target system and using LotL tactics and publicly available hack tools.
The attacker’s group following various steps in order to gain the target system access then later they deploy the several hacking tools to perform further attacks.
Initially, attackers reach the target through spear-phishing email which contains an attached malicious documents that titles with the government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages.
Attackers created the document with an interesting file name “bg embassy list.docx” and “Navy.ro members list.docx” which is not much sophisticated but researchers believe its effective one to compromise the target.
Once the victims click and open the document, its force them to enable the content then it exploits the Microsoft Office Dynamic Data Exchange (DDE) protocol.
“If the user enables this content, the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim’s system”
Once the attackers gain access to the target victim device then they will execute the various different attacks using the following tools.
- WindowsRoamingToolsTask: Used to schedule PowerShell scripts and tasks
- A “reverse_tcp” payload from Metasploit – use obfuscated shellcode that is executed via PowerShell and download reverse shell.
- WinZip console: This creates a task to execute commands and communicate with the command-and-control (C&C) server.
- Rex PowerShell library – create and manipulate PowerShell scripts for use with Metasploit exploits
According to Symantec, Gallmaker is using three primary IP addresses for its C&C infrastructure to communicate with infected devices. There is also evidence that it is deleting some of its tools from victim machines once it is finished, to hide traces of its activity.