Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа GALLIUM
Риски
Каталоги
MITRE ATT&CK
Преступная группа
GALLIUM
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.(Citation: Cybereason Soft Cell June 2019) Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)
ID: G0093
Associated Groups: Granite Typhoon
Version: 4.0
Created: 18 Jul 2019
Last Modified: 17 Apr 2024

Associated Group Descriptions
Name Description
Granite Typhoon (Citation: Microsoft Threat Actor Naming July 2023)

Techniques Used
Domain ID Name Use
Enterprise T1583 .004 Acquire Infrastructure: Server

GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.(Citation: Microsoft GALLIUM December 2019)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.(Citation: Cybereason Soft Cell June 2019)
.003 Command and Scripting Interpreter: Windows Command Shell

GALLIUM used the Windows command shell to execute commands.(Citation: Cybereason Soft Cell June 2019)

Enterprise T1136 .002 Create Account: Domain Account

GALLIUM created high-privileged domain user accounts to maintain access to victim networks.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)
Enterprise T1074 .001 Data Staged: Local Data Staging

GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)
Enterprise T1574 .001 Hijack Execution Flow: DLL

GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.(Citation: Cybereason Soft Cell June 2019)
Enterprise T1036 .003 Masquerading: Rename Legitimate Utilities

GALLIUM used a renamed cmd.exe file to evade detection.(Citation: Cybereason Soft Cell June 2019)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)
.002 OS Credential Dumping: Security Account Manager

GALLIUM used reg commands to dump specific hives from the Windows Registry, such as the SAM hive, and obtain password hashes.(Citation: Cybereason Soft Cell June 2019)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

GALLIUM packed some payloads using different types of packers, both known and custom.(Citation: Cybereason Soft Cell June 2019)
.005 Obfuscated Files or Information: Indicator Removal from Tools

GALLIUM ensured each payload had a unique hash, including by using different types of packers.(Citation: Cybereason Soft Cell June 2019)

Enterprise T1588 .002 Obtain Capabilities: Tool

GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.(Citation: Microsoft GALLIUM December 2019)
Enterprise T1090 .002 Proxy: External Proxy

GALLIUM used a modified version of HTRAN to redirect connections between networks.(Citation: Cybereason Soft Cell June 2019)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

GALLIUM established persistence for PoisonIvy by created a scheduled task.(Citation: Cybereason Soft Cell June 2019)
Enterprise T1505 .003 Server Software Component: Web Shell

GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.(Citation: Microsoft GALLIUM December 2019)
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

GALLIUM used dumped hashes to authenticate to other machines via pass the hash.(Citation: Cybereason Soft Cell June 2019)

Software
ID Name References Techniques
S0039 Net (Citation: Cybereason Soft Cell June 2019) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0110 at (Citation: Cybereason Soft Cell June 2019) (Citation: Linux at) (Citation: TechNet At) At
S0005 Windows Credential Editor (Citation: Amplia WCE) (Citation: Microsoft GALLIUM December 2019) LSASS Memory
S0100 ipconfig (Citation: Cybereason Soft Cell June 2019) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S1031 PingPull (Citation: Unit 42 PingPull Jun 2022) Standard Encoding, Symmetric Cryptography, Windows Service, System Information Discovery, Data from Local System, Deobfuscate/Decode Files or Information, Timestomp, System Network Configuration Discovery, File and Directory Discovery, Masquerade Task or Service, Exfiltration Over C2 Channel, Non-Standard Port, Non-Application Layer Protocol, Windows Command Shell, Web Protocols
S0020 China Chopper (Citation: CISA AA21-200A APT40 July 2021) (Citation: Cybereason Soft Cell June 2019) (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) (Citation: Microsoft GALLIUM December 2019) (Citation: Rapid7 HAFNIUM Mar 2021) Password Guessing, Data from Local System, Timestomp, Web Shell, File and Directory Discovery, Windows Command Shell, Software Packing, Web Protocols, Network Service Discovery, Ingress Tool Transfer
S0564 BlackMould (Citation: Microsoft GALLIUM December 2019) System Information Discovery, Data from Local System, File and Directory Discovery, Windows Command Shell, Web Protocols, Ingress Tool Transfer
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Cybereason Soft Cell June 2019) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: TVT) (Citation: Thoper) Screen Capture, Keylogging, DNS, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, System Checks, DLL, Network Share Discovery, Native API, Deobfuscate/Decode Files or Information, Disable or Modify System Firewall, Modify Registry, File and Directory Discovery, Masquerade Task or Service, System Network Connections Discovery, Process Discovery, Multiband Communication, Registry Run Keys / Startup Folder, Non-Standard Port, Obfuscated Files or Information, Non-Application Layer Protocol, Query Registry, MSBuild, Windows Command Shell, Web Protocols, DLL Side-Loading, Ingress Tool Transfer, Hidden Files and Directories, Custom Command and Control Protocol, Dead Drop Resolver, Commonly Used Port
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Cybereason Soft Cell June 2019) (Citation: Deply Mimikatz) (Citation: Microsoft GALLIUM December 2019) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0012 PoisonIvy (Citation: Breut) (Citation: Cybereason Soft Cell June 2019) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Microsoft GALLIUM December 2019) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Keylogging, Rootkit, Local Data Staging, Active Setup, Symmetric Cryptography, Windows Service, Data from Local System, Mutual Exclusion, Application Window Discovery, Modify Registry, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Uncommonly Used Port, Windows Command Shell, Ingress Tool Transfer, Dynamic-link Library Injection
S0590 NBTscan (Citation: Cybereason Soft Cell June 2019) (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, Network Sniffing, System Network Configuration Discovery, Remote System Discovery, Network Service Discovery
S0097 Ping (Citation: Cybereason Soft Cell June 2019) (Citation: TechNet Ping) Remote System Discovery
S0106 cmd (Citation: Cybereason Soft Cell June 2019) (Citation: Microsoft GALLIUM December 2019) (Citation: TechNet Cmd) (Citation: TechNet Copy) (Citation: TechNet Del) (Citation: TechNet Dir) System Information Discovery, File and Directory Discovery, Lateral Tool Transfer, Windows Command Shell, File Deletion, Ingress Tool Transfer
S0075 Reg (Citation: Cybereason Soft Cell June 2019) (Citation: Microsoft Reg) (Citation: Windows Commands JPCERT) Credentials in Registry, Modify Registry, Query Registry
S0040 HTRAN (Citation: Cybereason Soft Cell June 2019) (Citation: HUC Packet Transmit Tool) (Citation: Microsoft GALLIUM December 2019) (Citation: NCSC Joint Report Public Tools) (Citation: Operation Quantum Entanglement) Rootkit, Process Injection, Proxy
S0029 PsExec (Citation: Cybereason Soft Cell June 2019) (Citation: Microsoft GALLIUM December 2019) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  2. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  3. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  4. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.