Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Linux, Windows, macOS | exfiltration | Data Compressed | Gallmaker has used WinZip, likely to archive data prior to exfiltration. | Binary file metadata, File monitoring, Process command-line parameters, Process monitoring |
| Windows, macOS, Linux | initial-access | Spearphishing Attachment | Gallmaker sent emails with malicious Microsoft Office documents attached. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
| Linux, Windows, macOS | execution | User Execution | Gallmaker sent victims a lure document with a warning that asked victims to “enable content” for execution. | Anti-virus, Process command-line parameters, Process monitoring |
| Linux, macOS, Windows | defense-evasion, execution | Scripting | Gallmaker used PowerShell scripts for execution. | Process monitoring, File monitoring, Process command-line parameters |
| Windows | execution | PowerShell | Gallmaker used PowerShell to download additional payloads. | PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters |
| Windows | execution | Dynamic Data Exchange | Gallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution. | API monitoring, DLL monitoring, Process monitoring, Windows Registry, Windows event logs |
| Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | Gallmaker obfuscated shellcode used during execution. | Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |