Gallmaker

Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.[1]

ID: G0084
Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1002Data CompressedGallmaker has used WinZip, likely to archive data prior to exfiltration.[1]
EnterpriseT1173Dynamic Data ExchangeGallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution.[1]
EnterpriseT1027Obfuscated Files or InformationGallmaker obfuscated shellcode used during execution.[1]
EnterpriseT1086PowerShellGallmaker used PowerShell to download additional payloads.[1]
EnterpriseT1064ScriptingGallmaker used PowerShell scripts for execution.[1]
EnterpriseT1193Spearphishing AttachmentGallmaker sent emails with malicious Microsoft Office documents attached.[1]
EnterpriseT1204User ExecutionGallmaker sent victims a lure document with a warning that asked victims to “enable content” for execution.[1]

References