Gallmaker, a threat actor group we have been monitoring since its inception in December 2017, has exhibited consistent activity up until June 2018. The group's operations are characterized by a unique approach of not using custom malware but instead leveraging "living off the land" (LotL) tactics and publicly available hacking tools. This strategy makes Gallmaker's activities particularly challenging to detect, as they blend with legitimate processes and use widely accessible tools, thereby leaving minimal traces of intrusion.
The group's activity points strongly towards cyber espionage, likely sponsored by a state entity, given the nature of their targets. Gallmaker's victims are primarily associated with government, military, or defense sectors, indicating a highly targeted approach. The group uses three primary IP addresses for its command-and-control (C&C) infrastructure to communicate with infected devices. Notably, the victims observed lacked a specific patch, rendering them vulnerable to exploits via the DDE protocol.
Despite the stealthy nature of Gallmaker's activities, Symantec's Targeted Attack Analytics (TAA) technology was instrumental in detecting this threat actor. Gallmaker's reliance on LotL tactics and public hack tools, combined with their focus on high-value governmental and defense targets, underscores the evolving sophistication of threat actors and the need for advanced detection capabilities. It also emphasizes the importance of regular system updates and patches in maintaining a strong security posture.