A newly uncovered and likely state-backed hacking operation is attacking governments and military organisations, using publicly available tools to execute a targeted cyber-espionage campaign.
Dubbed Gallmaker, the group has been active since at least December 2017 and doesn’t use malware to gain access to and control Windows systems; instead using tools like Metasploit and PowerShell to gain access to information in targeted attacks.
Discovered by researchers at Symantec, the hacking campaign is said to have targeted several overseas embassies of an unspecified Eastern European country in different regions around the world, as well as a series of military and defence targets in the Middle East that don’t appear to carry any specific links to the government target.
However, researchers are confident that targets are specifically selected by those behind the campaign, which bears the hallmark of being perpetrated by a state-backed group — but Symantec wouldn’t be drawn on exactly who could be behind the campaign or the exact targets of the attacks, only stating that the campaign is by a very knowledgeable organization.
Attacks begin with spear-phishing emails used to deliver documents with names related to government, military, or diplomatic themes. The documents are described as “not very sophisticated” and are designed to be of interest to targets in Eastern Europe – and are seemingly working.
These malicious lures don’t contain malware, but rather look to take advantage of an exploit in Microsoft Office Dynamic Data Exchange (DDE) protocol, to gain access to machines. DDE is there to share data between Office applications, but researchers uncovered a vulnerability in the mechanism last year.
Microsoft initially pointed to the capability as a feature, not a vulnerability, before later releasing an update to ensure DDE is disabled by default in Word and Excel.
After a lure document is opened, the user is urged to enable ‘protected’ content – an action which enables the DDE protocol and allows attackers to remotely execute commands on the system.
Gallmaker is able to conduct espionage campaigns without malware by using a variety of tools and tasks, which are legitimately available on the web or embedded into the system processes of Windows machines.
For example, the ‘WindowsRoamingToolsTask’ is used to schedule PowerShell scripts and tasks, while the attackers use functions of the Metasploit penetration software toolkit to obfuscate shellcode that’s executed using PowerShell.
The attackers use a legitimate version of WinZip to execute commands and communicate with their command and control server – it’s likely this is also used to archive data for the purposes of stealing files and other data.
The Gallmaker group has also been observed using the publicly available Rex PowerShell library to create and manipulate PowerShell scripts for using with Metasploit exploits.
Researchers note that when Gallmaker attacks have been observed, there’s evidence of tools being deleted from victim machines once a campaign is finished, in order to bolster the operational security and hide traces of activity.
This attempt to cover their tracks and the way in which the attackers ‘live off the land’ indicates that Gallmaker is very concerned with not being discovered – and likely made by a knowledgeable group with experience in espionage.
“The tools used by Gallmaker are publicly available and can be used for legitimate purposes. The fact that they may have legitimate reasons to be on a device means their presence may not necessarily arouse suspicion, hence their appeal to attackers,” Dick O’Brien, threat researcher at Symantec told ZDNet.
“The group is disciplined and tries to maintain good operational security. Because they can mount every stage of an attack without resorting to malware, this points to a group who are more knowledgeable and skilled than most espionage groups,” he added.
Researchers aren’t able to determine if campaigns by Gallmaker have been successful in stealing data from targets, but have identified 20 separate attacks that took place between December and June – almost half of these occurred in April.
One element linking all the targets of the campaign is that they haven’t installed the patch which disables DDE by default – it’s likely that those behind Gallmaker are being opportunistic and hoping that the patch hasn’t been deployed, rather than explicitly knowing that to be the case.
The most recent activity by the group was in June, but that doesn’t necessarily mean that Gallmaker has ceased operations as other campaigns have proven that attackers can remain dormant for months, even years at a time before resuming activity.
It can be difficult for organisations to protect themselves from living off the land tactics – the way that the tools can hide in plain sight is what makes them popular for cyber criminal operations – but there are a number of things that can be done to minimize risk.
This includes applying security updates and patches as new vulnerabilities come to light, ensuring that sensitive data is encrypted to reduce the impact of data leaks, and educating employees about the risks of opening emails and documents from unfamiliar sources where possible.
READ MORE ON CYBER CRIME