GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]

ID: G0093
Associated Groups: Operation Soft Cell
Contributors: Daniyal Naeem, BT Security; Cybereason Nocturnus, @nocturnus
Version: 3.0
Created: 18 July 2019
Last Modified: 12 August 2022

Associated Group Descriptions

Name Description
Operation Soft Cell

[1]

Techniques Used

Domain ID Name Use
Enterprise T1583 .004 Acquire Infrastructure: Server

GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.[2]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.[1][2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

GALLIUM used the Windows command shell to execute commands.[1]

Enterprise T1136 .002 Create Account: Domain Account

GALLIUM created high-privileged domain user accounts to maintain access to victim networks.[1][2]

Enterprise T1005 Data from Local System

GALLIUM collected data from the victim's local system, including password hashes from the SAM hive in the Registry.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.[1]

Enterprise T1041 Exfiltration Over C2 Channel

GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data.[1]

Enterprise T1190 Exploit Public-Facing Application

GALLIUM exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network.[1][2]

Enterprise T1133 External Remote Services

GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments.[1][2]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.[1]

Enterprise T1105 Ingress Tool Transfer

GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[1][2]

Enterprise T1570 Lateral Tool Transfer

GALLIUM has used PsExec to move laterally between hosts in the target network.[2]

Enterprise T1036 .003 Masquerading: Rename System Utilities

GALLIUM used a renamed cmd.exe file to evade detection.[1]

Enterprise T1027 Obfuscated Files or Information

GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[1]

.002 Software Packing

GALLIUM packed some payloads using different types of packers, both known and custom.[1]

.005 Indicator Removal from Tools

GALLIUM ensured each payload had a unique hash, including by using different types of packers.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.[2]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.[1][2]

.002 OS Credential Dumping: Security Account Manager

GALLIUM used reg commands to dump specific hives from the Windows Registry, such as the SAM hive, and obtain password hashes.[1]

Enterprise T1090 .002 Proxy: External Proxy

GALLIUM used a modified version of HTRAN to redirect connections between networks.[1]

Enterprise T1018 Remote System Discovery

GALLIUM used a modified version of NBTscan to identify available NetBIOS name servers over the network as well as ping to identify remote systems.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

GALLIUM established persistence for PoisonIvy by created a scheduled task.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.[1][2]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.[2]

Enterprise T1016 System Network Configuration Discovery

GALLIUM used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers.[1]

Enterprise T1049 System Network Connections Discovery

GALLIUM used netstat -oan to obtain information about the victim network connections.[1]

Enterprise T1033 System Owner/User Discovery

GALLIUM used whoami and query user to obtain information about the victim user.[1]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

GALLIUM used dumped hashes to authenticate to other machines via pass the hash.[1]

Enterprise T1078 Valid Accounts

GALLIUM leveraged valid accounts to maintain access to a victim network.[1]

Enterprise T1047 Windows Management Instrumentation

GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.[1]

Software

ID Name References Techniques
S0110 at [1] Scheduled Task/Job: At
S0564 BlackMould [2] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Ingress Tool Transfer, System Information Discovery
S0020 China Chopper [1][2] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0106 cmd [1][2] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal: File Deletion, Ingress Tool Transfer, Lateral Tool Transfer, System Information Discovery
S0040 HTRAN [1][2] Process Injection, Proxy, Rootkit
S0100 ipconfig [1] System Network Configuration Discovery
S0002 Mimikatz [1][2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0590 NBTscan [1] Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0039 Net [1] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0097 Ping [1] Remote System Discovery
S1031 PingPull [3] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal: Timestomp, Masquerading: Masquerade Task or Service, Non-Application Layer Protocol, Non-Standard Port, System Information Discovery, System Network Configuration Discovery
S0013 PlugX [1] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Side-Loading, Hijack Execution Flow: DLL Search Order Hijacking, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0012 PoisonIvy [1][2] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0029 PsExec [1][2] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0075 Reg [1] Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry
S0005 Windows Credential Editor [2] OS Credential Dumping: LSASS Memory

References