Gallmaker: New APT group targeting global government, military and defense agencies

• Gallmaker is a previously unknown APT group that was found living-off-the-land (LotL) tactics to attack global targets.
• Gallmaker has been active since December 2017 and uses publicly available hacking tools, instead of malware.

The malicious activities of a previously unknown APT group dubbed “Gallmaker” were recently discovered by security experts. Gallmaker has been active since 2017 and was found targeting government, military and defense agencies across the globe.

The hacker group uses living-off-the-land (LotL) tactics - employing publicly available hacking tools, instead of malware in its operations. So far, the attackers have targeted several overseas embassies of an Eastern European nation, as well as several military and defense agencies in the Middle East.

According to security researchers at Symantec, who discovered Gallmaker’s activities, the group’s most recent campaign took place in June 2018.

Modus Operandi

Gallmaker delivers malicious Office documents via phishing emails. The documents attempt to exploit the Microsoft Office Dynamic Data Exchange (DDE) protocol to gain access to the victim’s systems.

“When the victim opens the lure document, a warning appears asking victims to ‘enable content’. Should a user enable this content, the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim’s system,” Symantec researchers said in report. “By running solely in memory, the attackers avoid leaving artifacts on disk, which makes their activities difficult to detect.”

The group makes use of a wide variety of tools such as obfuscated shellcode, the WindowsRoamingToolsTask, which is used to schedule PowerShell scripts and tasks and more. Gallmaker is also currently making use of three main IP addresses for its C2 infrastructure and to communicate with infected devices. The group also deletes some of the hacking tools it used from a victim’s computer after it has completed the operation. This is presumably done to hide its activities.

Gallmker’s targets

Like other cyberespionage groups, Gallmaker appears to be conducting highly targeted attacks. It has targeted the embassies, located in different regions around the world, of one particular Eastern European nation. The group has also gone after a defense contractor and a military organization - both of which are located in the Middle East.

“There are no obvious links between the Eastern European and Middle Eastern targets, but it is clear that Gallmaker is specifically targeting the defense, military, and government sectors: its targets appear unlikely to be random or accidental,” Symantec researchers added. “The group has carried out attacks most months since December 2017. Its activity subsequently increased in the second quarter of 2018, with a particular spike in April 2018.”

Symantec researchers believe that Gallmaker is likely a state-sponsored cyberespionage group. The group’s discovery hints at how sophisticated threat groups work at keeping themselves hidden while conducting intrusive operations. Gallmaker’s existence also highlights how an incredible amount of malicious activity can go unnoticed or undiscovered in cyberspace.