Delaware, USA – October 11, 2018 — The newly discovered APT group Gallmaker has been active at least since last December and is aimed at the government, military and defense targets in the Middle East and Eastern Europe. The group does not use malware during the attacks. Instead, they are perfect at using living off the land tactic and well-known hacking tools. According to Symantec research, the group was most active in April 2018. Usually, during an attack, Gallmaker send spear-phishing emails with an attached MS Office document. Document abused Dynamic Data Exchange function in Microsoft Office to remotely execute commands providing the group with access to a device almost without leaving traces. Gallmaker uses WindowsRoamingToolsTask to schedule PowerShell scripts and tasks, publicly available Metasploit exploits with the Rex PowerShell library and WinZip console to communicate with command and control servers and exfiltrate data.
As the group uses PowerShell scripts, it is extremely difficult to detect their attacks and malicious activity on infected systems. Despite the fact that last year Microsoft released updates to disable DDE protocol in Word and Excel by default, many organizations remain vulnerable to this infection vector, and attackers continue to exploit it successfully. Last month, another grouping exploited DDE to spread Adwind RAT in the Middle East and Germany. You can use the DDE Exploitation Detector rule pack from Threat Detection Marketplace to uncover signs of sophisticated cyber attacks: https://my.socprime.com/en/integrations/dde-exploitation-detector-arcsight