1. Home
  2. Groups
  3. Gallmaker

Gallmaker

Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.[1]

ID: G0084
Version: 1.1
Created: 30 January 2019
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Gallmaker used PowerShell to download additional payloads and for execution.[1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Gallmaker has used WinZip, likely to archive data prior to exfiltration.[1]
Enterprise T1027 混淆文件或信息

Gallmaker obfuscated shellcode used during execution.[1]
Enterprise T1204 .002 用户执行: Malicious File

Gallmaker sent victims a lure document with a warning that asked victims to "enable content" for execution.[1]
Enterprise T1559 .002 进程间通信: Dynamic Data Exchange

Gallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Gallmaker sent emails with malicious Microsoft Office documents attached.[1]

References

  1. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.