Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Groups
  3. GALLIUM

GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identifiedGALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]

ID: G0093
Associated Groups: Granite Typhoon
Contributors: Daniyal Naeem, BT Security; Cybereason Nocturnus, @nocturnus
Version: 4.0
Created: 18 July 2019
Last Modified: 17 April 2024

Associated Group Descriptions

NameDescription
Granite Typhoon

[4]

Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1583.004Acquire Infrastructure:Server

GALLIUM has used Taiwan-based servers that appear to be exclusive toGALLIUM.[2]

EnterpriseT1560.001Archive Collected Data:Archive via Utility

GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.[1][2]

EnterpriseT1059.001Command and Scripting Interpreter:PowerShell

GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.[1]

.003Command and Scripting Interpreter:Windows Command Shell

GALLIUM used the Windows command shell to execute commands.[1]

EnterpriseT1136.002Create Account:Domain Account

GALLIUM created high-privileged domain user accounts to maintain access to victim networks.[1][2]

EnterpriseT1005Data from Local System

GALLIUM collected data from the victim's local system, including password hashes from the SAM hive in the Registry.[1]

EnterpriseT1074.001Data Staged:Local Data Staging

GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.[1]

EnterpriseT1041Exfiltration Over C2 Channel

GALLIUM used Web shells andHTRAN for C2 and to exfiltrate data.[1]

EnterpriseT1190Exploit Public-Facing Application

GALLIUM exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network.[1][2]

EnterpriseT1133External Remote Services

GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments.[1][2]

EnterpriseT1574.001Hijack Execution Flow:DLL

GALLIUM used DLL side-loading to covertly loadPoisonIvy into memory on the victim machine.[1]

EnterpriseT1105Ingress Tool Transfer

GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, andHTRAN.[1][2]

EnterpriseT1570Lateral Tool Transfer

GALLIUM has usedPsExec to move laterally between hosts in the target network.[2]

EnterpriseT1036.003Masquerading:Rename Legitimate Utilities

GALLIUM used a renamed cmd.exe file to evade detection.[1]

EnterpriseT1027Obfuscated Files or Information

GALLIUM used a modified version ofHTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[1]

.002Software Packing

GALLIUM packed some payloads using different types of packers, both known and custom.[1]

.005Indicator Removal from Tools

GALLIUM ensured each payload had a unique hash, including by using different types of packers.[1]

EnterpriseT1588.002Obtain Capabilities:Tool

GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.[2]

EnterpriseT1003.001OS Credential Dumping:LSASS Memory

GALLIUM used a modified version ofMimikatz along with a PowerShell-basedMimikatz to dump credentials on the victim machines.[1][2]

.002OS Credential Dumping:Security Account Manager

GALLIUM usedreg commands to dump specific hives from the Windows Registry, such as the SAM hive, and obtain password hashes.[1]

EnterpriseT1090.002Proxy:External Proxy

GALLIUM used a modified version ofHTRAN to redirect connections between networks.[1]

EnterpriseT1018Remote System Discovery

GALLIUM used a modified version ofNBTscan to identify available NetBIOS name servers over the network as well asping to identify remote systems.[1]

EnterpriseT1053.005Scheduled Task/Job:Scheduled Task

GALLIUM established persistence forPoisonIvy by created a scheduled task.[1]

EnterpriseT1505.003Server Software Component:Web Shell

GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.[1][2]

EnterpriseT1553.002Subvert Trust Controls:Code Signing

GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.[2]

EnterpriseT1016System Network Configuration Discovery

GALLIUM usedipconfig /all to obtain information about the victim network configuration. The group also ran a modified version ofNBTscan to identify available NetBIOS name servers.[1]

EnterpriseT1049System Network Connections Discovery

GALLIUM usednetstat -oan to obtain information about the victim network connections.[1]

EnterpriseT1033System Owner/User Discovery

GALLIUM usedwhoami andquery user to obtain information about the victim user.[1]

EnterpriseT1550.002Use Alternate Authentication Material:Pass the Hash

GALLIUM used dumped hashes to authenticate to other machines via pass the hash.[1]

EnterpriseT1078Valid Accounts

GALLIUM leveraged valid accounts to maintain access to a victim network.[1]

EnterpriseT1047Windows Management Instrumentation

GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.[1]

Software

IDNameReferencesTechniques
S0110at[1]Scheduled Task/Job:At
S0564BlackMould[2]Application Layer Protocol:Web Protocols,Command and Scripting Interpreter:Windows Command Shell,Data from Local System,File and Directory Discovery,Ingress Tool Transfer,Local Storage Discovery
S0020China Chopper[1][2]Application Layer Protocol:Web Protocols,Brute Force:Password Guessing,Command and Scripting Interpreter:Windows Command Shell,Data from Local System,File and Directory Discovery,Indicator Removal:Timestomp,Ingress Tool Transfer,Network Service Discovery,Obfuscated Files or Information:Software Packing,Server Software Component:Web Shell
S0106cmd[1][2]Command and Scripting Interpreter:Windows Command Shell,File and Directory Discovery,Indicator Removal:File Deletion,Ingress Tool Transfer,Lateral Tool Transfer,System Information Discovery
S0040HTRAN[1][2]Process Injection,Proxy,Rootkit
S0100ipconfig[1]System Network Configuration Discovery
S0002Mimikatz[1][2]Access Token Manipulation:SID-History Injection,Account Manipulation,Boot or Logon Autostart Execution:Security Support Provider,Credentials from Password Stores,Credentials from Password Stores:Credentials from Web Browsers,Credentials from Password Stores:Windows Credential Manager,OS Credential Dumping:DCSync,OS Credential Dumping:Security Account Manager,OS Credential Dumping:LSASS Memory,OS Credential Dumping:LSA Secrets,Rogue Domain Controller,Steal or Forge Authentication Certificates,Steal or Forge Kerberos Tickets:Golden Ticket,Steal or Forge Kerberos Tickets:Silver Ticket,Unsecured Credentials:Private Keys,Use Alternate Authentication Material:Pass the Hash,Use Alternate Authentication Material:Pass the Ticket
S0590NBTscan[1]Network Service Discovery,Network Sniffing,Remote System Discovery,System Network Configuration Discovery,System Owner/User Discovery
S0039Net[1]Account Discovery:Domain Account,Account Discovery:Local Account,Account Manipulation:Additional Local or Domain Groups,Create Account:Local Account,Create Account:Domain Account,Indicator Removal:Network Share Connection Removal,Network Share Discovery,Password Policy Discovery,Permission Groups Discovery:Domain Groups,Permission Groups Discovery:Local Groups,Remote Services:SMB/Windows Admin Shares,Remote System Discovery,System Network Connections Discovery,System Service Discovery,System Services:Service Execution,System Time Discovery
S0097Ping[1]Remote System Discovery
S1031PingPull[3]Application Layer Protocol:Web Protocols,Command and Scripting Interpreter:Windows Command Shell,Create or Modify System Process:Windows Service,Data Encoding:Standard Encoding,Data from Local System,Deobfuscate/Decode Files or Information,Encrypted Channel:Symmetric Cryptography,Exfiltration Over C2 Channel,File and Directory Discovery,Indicator Removal:Timestomp,Masquerading:Masquerade Task or Service,Non-Application Layer Protocol,Non-Standard Port,System Information Discovery,System Network Configuration Discovery
S0013PlugX[1]Application Layer Protocol:Web Protocols,Application Layer Protocol:DNS,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Command and Scripting Interpreter:Windows Command Shell,Create or Modify System Process:Windows Service,Data Staged:Local Data Staging,Debugger Evasion,Deobfuscate/Decode Files or Information,Encrypted Channel:Symmetric Cryptography,Execution Guardrails:Mutual Exclusion,Exfiltration Over C2 Channel,File and Directory Discovery,Hide Artifacts:Hidden Files and Directories,Hide Artifacts:Hidden Window,Hijack Execution Flow:DLL,Impair Defenses:Disable or Modify System Firewall,Indicator Removal:Clear Persistence,Indicator Removal:File Deletion,Ingress Tool Transfer,Input Capture:Keylogging,Local Storage Discovery,Masquerading:Masquerade Task or Service,Masquerading:Match Legitimate Resource Name or Location,Modify Registry,Native API,Network Share Discovery,Non-Application Layer Protocol,Non-Standard Port,Obfuscated Files or Information:Binary Padding,Obfuscated Files or Information:Dynamic API Resolution,Obfuscated Files or Information,Obfuscated Files or Information:Encrypted/Encoded File,Peripheral Device Discovery,Process Discovery,Query Registry,Reflective Code Loading,Replication Through Removable Media,Scheduled Task/Job:Scheduled Task,Screen Capture,System Information Discovery,System Location Discovery,System Network Configuration Discovery,System Network Connections Discovery,System Owner/User Discovery,System Time Discovery,Trusted Developer Utilities Proxy Execution:MSBuild,User Execution:Malicious File,Virtualization/Sandbox Evasion:System Checks,Web Service:Dead Drop Resolver
S0012PoisonIvy[1][2]Application Window Discovery,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Boot or Logon Autostart Execution:Active Setup,Command and Scripting Interpreter:Windows Command Shell,Create or Modify System Process:Windows Service,Data from Local System,Data Staged:Local Data Staging,Encrypted Channel:Symmetric Cryptography,Execution Guardrails:Mutual Exclusion,Ingress Tool Transfer,Input Capture:Keylogging,Modify Registry,Obfuscated Files or Information,Process Injection:Dynamic-link Library Injection,Rootkit
S0029PsExec[1][2]Create Account:Domain Account,Create or Modify System Process:Windows Service,Lateral Tool Transfer,Remote Services:SMB/Windows Admin Shares,System Services:Service Execution
S0075Reg[1]Modify Registry,Query Registry,Unsecured Credentials:Credentials in Registry
S0005Windows Credential Editor[2]OS Credential Dumping:LSASS Memory

References

×
[8]ページ先頭
©2009-2026 Movatter.jp