Symantec reveals state-sponsored group that doesn’t care for malware
A newly revealed hacking group has been going after diplomatic and military targets in a malware-less campaign that researchers say makes it difficult to detect.
Over the last 10 months, the so-called Gallmaker group has conducted what appear to be cyber-espionage operations against several embassies belonging to an Eastern European country, according to research from cybersecurity company Symantec published Wednesday. The group, which researchers say is likely state-sponsored, has also targeted military and defense organizations in the Middle East.
“The type of targets seen in the attacks really fit that of what an espionage group would be interested in,” Jon DiMaggio, senior threat intelligence analyst at Symantec, told CyberScoop. “If simply for financial gain, it would be odd to restrict targets to diplomatic, military and defense personnel.” Gallmaker’s end goal appears to collecting intelligence on its targets in the form of documents and communications, according to DiMaggio.
Gallmaker’s hackers use “living off the land” tactics — or tools already installed on target computers — that leave less of a footprint in the hopes of avoiding detection. Symantec has warned that such tactics are on the rise. “Often this activity will blend in with legitimate operational activity conducted by administrators,” DiMaggio said.
Gallmaker’s operatives have sent Microsoft Office documents with military and diplomatic themes in their titles in an attempt to exploit an Office protocol according to Symantec. “These documents are not very sophisticated, but evidence of infections shows that they’re effective,” a company blog post says.
Last year, researchers from SensePost pointed out that the protocol, known as Dynamic Data Exchange (DDE), could be exploited by attackers to open executable programs and run commands. Microsoft issued a patch in December, but Symantec says Gallmaker’s victims have not had that patch in place.
“When the victim opens the lure document, a warning appears asking victims to ‘enable content,'” the Symantec blog states. “Should a user enable this content, the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim’s system.”