From Microsoft’s description, the group, which has been active through 2018 to mid-2019, uses cheap and disposable tools and they don’t care about hiding their tracks or intent once inside compromised networks. Microsoft does not claim the group is an advanced persistent threat actor, but their fast and dirty techniques have proved effective.
The attackers are scanning for internet-exposed and vulnerable web servers, such as Red Hat-developed WildFly (aka JBoss), and then using publicly known exploits to attack them.
“Compromising a web server gives Gallium a foothold in the victim network that doesn’t require user interaction, such as traditional delivery methods like phishing,” Microsoft Threat Intelligence Center (MSTIC) warns.
“Following exploitation of the web servers, Gallium actors typically install web shells, and then install additional tooling to allow them to explore the target network.”
Microsoft notes that Galium hackers modify off-the-shelf malware tools only in order to evade anti-malware detections rather than to develop custom functionality.
Among the slightly modified versions of tools the group uses are: HTRAN, Mimikatz, NBTScan, Netcat, PsExec, Windows Credential Editor, and WinRAR. Mimikatz is used for stealing credentials once inside a network. The group has signed several of its modified tools using stolen code signing certificates.
Similarly, it’s using a modified version of the Poison Ivy remote access tool (RAT), a variant of Gh0st RAT called QuarkBandit, the widely shared web shell China Chopper, and a native IIS web shell BlackMould.
The other tool Gallium uses is the SoftEther VPN, allowing them to maintain a foothold in the network.
Microsoft notes the group’s activity has declined in recent months, but the company is hopeful that sharing the group’s methods, tools and indicators will encourage other members of the security community to implement active defense.