13 December 2019

GALLIUM threat group targets global telcos using widely available tools


GALLIUM threat group targets global telcos using widely available tools

The Microsoft Threat Intelligence Center (MSTIC) issued a warning about attacks aimed at telecommunication providers from all around the globe conducted by a hacking group, which Microsoft calls GALLIUM.

The GALLIUM threat actor is scanning for internet-exposed and vulnerable web servers, such as Red Hat-developed WildFly (aka JBoss), and then using publicly known exploits to attack them. Once gaining access and establishing persistence in a victim’s network, the group uses common techniques and tools like Mimikatz to gather credentials to move laterally within the network. According to Microsoft, while GALLIUM is still active, its activity levels were much higher through 2018 to mid-2019.

Once the attackers have compromised the target network, they use a variety of tools to perform reconnaissance and move laterally within a target network. Most of these are common tools such as HTRAN, Mimikatz, NBTScan, Netcat, PsExec, Windows Credential Editor (WCE), and WinRAR or tweaked versions of known security tools.

The GALLIUM group relies heavily on web shells, such as China Chopper, as a first stage of the attack chain to gain persistence in the target network, then it delivers malware through the existing web shell access. In addition to China Chopper, GALLIUM has been using BlackMould, a native web shell for servers running Microsoft IIS that is based on the China Chopper web shell. BlackMould web shell can enumerate local drives, read, write, delete, and copy files, exfiltrate and infiltrate files, and run cmd.exe with parameters.

“GALLIUM predominantly uses dynamic DNS subdomains to provide command and control (C2) infrastructure for their malware. Typically, the group uses the ddns.net and myftp.biz domains provided by noip.com. GALLIUM domains have been observed hosted on infrastructure in mainland China, Hong Kong SAR, and Taiwan,” Microsoft said.

In some of the cases the group delivered customized versions of Gh0st RAT and Poison Ivy malware, with both RATs using modified communication method in order to evade detection. The researchers also observed the GALLIUM crew employing SoftEther VPN software to gain access to the target network and maintain persistence.

The list of tools and IoCs related to GALLIUM’s activity are provided in the last part of the Microsoft’s report.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024