GALLIUM
Associated Group Descriptions |
|
Name | Description |
---|---|
Granite Typhoon | (Citation: Microsoft Threat Actor Naming July 2023) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .004 | Acquire Infrastructure: Server |
GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.(Citation: Microsoft GALLIUM December 2019) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.(Citation: Cybereason Soft Cell June 2019) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
GALLIUM used the Windows command shell to execute commands.(Citation: Cybereason Soft Cell June 2019) |
||
Enterprise | T1136 | .002 | Create Account: Domain Account |
GALLIUM created high-privileged domain user accounts to maintain access to victim networks.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.(Citation: Cybereason Soft Cell June 2019) |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.(Citation: Cybereason Soft Cell June 2019) |
Enterprise | T1036 | .003 | Masquerading: Rename System Utilities |
GALLIUM used a renamed cmd.exe file to evade detection.(Citation: Cybereason Soft Cell June 2019) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019) |
.002 | OS Credential Dumping: Security Account Manager |
GALLIUM used |
||
Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
GALLIUM packed some payloads using different types of packers, both known and custom.(Citation: Cybereason Soft Cell June 2019) |
.005 | Obfuscated Files or Information: Indicator Removal from Tools |
GALLIUM ensured each payload had a unique hash, including by using different types of packers.(Citation: Cybereason Soft Cell June 2019) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.(Citation: Microsoft GALLIUM December 2019) |
Enterprise | T1090 | .002 | Proxy: External Proxy |
GALLIUM used a modified version of HTRAN to redirect connections between networks.(Citation: Cybereason Soft Cell June 2019) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
GALLIUM established persistence for PoisonIvy by created a scheduled task.(Citation: Cybereason Soft Cell June 2019) |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.(Citation: Microsoft GALLIUM December 2019) |
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
GALLIUM used dumped hashes to authenticate to other machines via pass the hash.(Citation: Cybereason Soft Cell June 2019) |
References
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
- Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.