Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)
ID: G0093
Associated Groups: Operation Soft Cell
Version: 3.0
Created: 18 Jul 2019
Last Modified: 12 Aug 2022

Associated Group Descriptions

Name Description
Operation Soft Cell (Citation: Cybereason Soft Cell June 2019)

Techniques Used

Domain ID Name Use
Enterprise T1583 .004 Acquire Infrastructure: Server

GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.(Citation: Microsoft GALLIUM December 2019)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.(Citation: Cybereason Soft Cell June 2019)

.003 Command and Scripting Interpreter: Windows Command Shell

GALLIUM used the Windows command shell to execute commands.(Citation: Cybereason Soft Cell June 2019)

Enterprise T1136 .002 Create Account: Domain Account

GALLIUM created high-privileged domain user accounts to maintain access to victim networks.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)

Enterprise T1074 .001 Data Staged: Local Data Staging

GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.(Citation: Cybereason Soft Cell June 2019)

Enterprise T1036 .003 Masquerading: Rename System Utilities

GALLIUM used a renamed cmd.exe file to evade detection.(Citation: Cybereason Soft Cell June 2019)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)

.002 OS Credential Dumping: Security Account Manager

GALLIUM used reg commands to dump specific hives from the Windows Registry, such as the SAM hive, and obtain password hashes.(Citation: Cybereason Soft Cell June 2019)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

GALLIUM packed some payloads using different types of packers, both known and custom.(Citation: Cybereason Soft Cell June 2019)

.005 Obfuscated Files or Information: Indicator Removal from Tools

GALLIUM ensured each payload had a unique hash, including by using different types of packers.(Citation: Cybereason Soft Cell June 2019)

Enterprise T1588 .002 Obtain Capabilities: Tool

GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.(Citation: Microsoft GALLIUM December 2019)

Enterprise T1090 .002 Proxy: External Proxy

GALLIUM used a modified version of HTRAN to redirect connections between networks.(Citation: Cybereason Soft Cell June 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

GALLIUM established persistence for PoisonIvy by created a scheduled task.(Citation: Cybereason Soft Cell June 2019)

Enterprise T1505 .003 Server Software Component: Web Shell

GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.(Citation: Microsoft GALLIUM December 2019)

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

GALLIUM used dumped hashes to authenticate to other machines via pass the hash.(Citation: Cybereason Soft Cell June 2019)

Software

ID Name References Techniques
S0039 Net (Citation: Cybereason Soft Cell June 2019) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0110 at (Citation: Cybereason Soft Cell June 2019) (Citation: Linux at) (Citation: TechNet At) At
S0005 Windows Credential Editor (Citation: Amplia WCE) (Citation: Microsoft GALLIUM December 2019) LSASS Memory
S0100 ipconfig (Citation: Cybereason Soft Cell June 2019) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S1031 PingPull (Citation: Unit 42 PingPull Jun 2022) Non-Standard Port, File and Directory Discovery, Data from Local System, Web Protocols, System Information Discovery, Masquerade Task or Service, System Network Configuration Discovery, Standard Encoding, Windows Service, Timestomp, Non-Application Layer Protocol, Windows Command Shell, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, Symmetric Cryptography
S0020 China Chopper (Citation: CISA AA21-200A APT40 July 2021) (Citation: Cybereason Soft Cell June 2019) (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) (Citation: Microsoft GALLIUM December 2019) Password Guessing, Data from Local System, Software Packing, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Network Service Discovery, Timestomp, Web Shell, File and Directory Discovery
S0564 BlackMould (Citation: Microsoft GALLIUM December 2019) System Information Discovery, Windows Command Shell, Web Protocols, Data from Local System, File and Directory Discovery, Ingress Tool Transfer
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Cybereason Soft Cell June 2019) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: Thoper) (Citation: TVT) Modify Registry, File and Directory Discovery, Masquerade Task or Service, Hidden Files and Directories, Multiband Communication, Non-Application Layer Protocol, Keylogging, Dead Drop Resolver, DLL Side-Loading, Process Discovery, Query Registry, DLL Search Order Hijacking, Network Share Discovery, MSBuild, Web Protocols, Windows Service, Windows Command Shell, Ingress Tool Transfer, System Checks, System Network Connections Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, DNS, Screen Capture, Commonly Used Port, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Native API, Obfuscated Files or Information
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Cybereason Soft Cell June 2019) (Citation: Deply Mimikatz) (Citation: Microsoft GALLIUM December 2019) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0012 PoisonIvy (Citation: Breut) (Citation: Cybereason Soft Cell June 2019) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Microsoft GALLIUM December 2019) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit
S0590 NBTscan (Citation: Cybereason Soft Cell June 2019) (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, System Network Configuration Discovery, Network Sniffing, Network Service Discovery, Remote System Discovery
S0097 Ping (Citation: Cybereason Soft Cell June 2019) (Citation: TechNet Ping) Remote System Discovery
S0106 cmd (Citation: Cybereason Soft Cell June 2019) (Citation: Microsoft GALLIUM December 2019) (Citation: TechNet Cmd) (Citation: TechNet Copy) (Citation: TechNet Del) (Citation: TechNet Dir) File and Directory Discovery, Ingress Tool Transfer, System Information Discovery, File Deletion, Windows Command Shell, Lateral Tool Transfer
S0075 Reg (Citation: Cybereason Soft Cell June 2019) (Citation: Microsoft Reg) (Citation: Windows Commands JPCERT) Credentials in Registry, Query Registry, Modify Registry
S0040 HTRAN (Citation: Cybereason Soft Cell June 2019) (Citation: HUC Packet Transmit Tool) (Citation: Microsoft GALLIUM December 2019) (Citation: NCSC Joint Report Public Tools) (Citation: Operation Quantum Entanglement) Proxy, Rootkit, Process Injection
S0029 PsExec (Citation: Cybereason Soft Cell June 2019) (Citation: Microsoft GALLIUM December 2019) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account