The Microsoft Threat Intelligence Center (MSTIC) issued a warning about attacks aimed at telecommunication providers from all around the globe conducted by a hacking group, which Microsoft calls GALLIUM.
The GALLIUM threat actor is scanning for internet-exposed and vulnerable web servers, such as Red Hat-developed WildFly (aka JBoss), and then using publicly known exploits to attack them. Once gaining access and establishing persistence in a victim’s network, the group uses common techniques and tools like Mimikatz to gather credentials to move laterally within the network. According to Microsoft, while GALLIUM is still active, its activity levels were much higher through 2018 to mid-2019.
Once the attackers have compromised the target network, they use a variety of tools to perform reconnaissance and move laterally within a target network. Most of these are common tools such as HTRAN, Mimikatz, NBTScan, Netcat, PsExec, Windows Credential Editor (WCE), and WinRAR or tweaked versions of known security tools.
The GALLIUM group relies heavily on web shells, such as China Chopper, as a first stage of the attack chain to gain persistence in the target network, then it delivers malware through the existing web shell access. In addition to China Chopper, GALLIUM has been using BlackMould, a native web shell for servers running Microsoft IIS that is based on the China Chopper web shell. BlackMould web shell can enumerate local drives, read, write, delete, and copy files, exfiltrate and infiltrate files, and run cmd.exe with parameters.
“GALLIUM predominantly uses dynamic DNS subdomains to provide command and control (C2) infrastructure for their malware. Typically, the group uses the ddns.net and myftp.biz domains provided by noip.com. GALLIUM domains have been observed hosted on infrastructure in mainland China, Hong Kong SAR, and Taiwan,” Microsoft said.
In some of the cases the group delivered customized versions of Gh0st RAT and Poison Ivy malware, with both RATs using modified communication method in order to evade detection. The researchers also observed the GALLIUM crew employing SoftEther VPN software to gain access to the target network and maintain persistence.
The list of tools and IoCs related to GALLIUM’s activity are provided in the last part of the Microsoft’s report.