GALLIUM

GALLIUM is a group that has been active since at least 2012, primarily targeting high-profile telecommunications networks. GALLIUM has been identified in some reporting as likely a Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2]

ID: G0093
Associated Groups: Operation Soft Cell
Contributors: Daniyal Naeem, BT Security; Cybereason Nocturnus, @nocturnus
Version: 2.0
Created: 18 July 2019
Last Modified: 23 April 2021

Associated Group Descriptions

Name Description
Operation Soft Cell

[1]

Techniques Used

Domain ID Name Use
Enterprise T1583 .004 Acquire Infrastructure: Server

GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.[2]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.[1][2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

GALLIUM used the Windows command shell to execute commands.[1]

Enterprise T1136 .002 Create Account: Domain Account

GALLIUM created high-privileged domain user accounts to maintain access to victim networks.[1][2]

Enterprise T1005 Data from Local System

GALLIUM collected data from the victim's local system, including password hashes from the SAM hive in the Registry.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.[1]

Enterprise T1041 Exfiltration Over C2 Channel

GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data.[1]

Enterprise T1190 Exploit Public-Facing Application

GALLIUM exploited a publicly-facing servers including Wildfly/JBoss servers to gain access to the network.[1][2]

Enterprise T1133 External Remote Services

GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments.[1][2]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.[1]

Enterprise T1105 Ingress Tool Transfer

GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[1][2]

Enterprise T1570 Lateral Tool Transfer

GALLIUM has used PsExec to move laterally between hosts in the target network.[2]

Enterprise T1036 .003 Masquerading: Rename System Utilities

GALLIUM used a renamed cmd.exe file to evade detection.[1]

Enterprise T1027 Obfuscated Files or Information

GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[1]

.002 Software Packing

GALLIUM packed some payloads using different types of packers, both known and custom.[1]

.005 Indicator Removal from Tools

GALLIUM ensured each payload had a unique hash, including by using different types of packers.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and/or subvert antimalware solutions.[2]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.[1][2]

.002 OS Credential Dumping: Security Account Manager

GALLIUM used reg commands to dump specific hives from the Windows Registry, such as the SAM hive, and obtain password hashes.[1]

Enterprise T1090 .002 Proxy: External Proxy

GALLIUM used a modified version of HTRAN to redirect connections between networks.[1]

Enterprise T1018 Remote System Discovery

GALLIUM used a modified version of NBTscan to identify available NetBIOS name servers over the network as well as ping to identify remote systems.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

GALLIUM established persistence for PoisonIvy by created a scheduled task.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.[1][2]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.[2]

Enterprise T1016 System Network Configuration Discovery

GALLIUM used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers.[1]

Enterprise T1049 System Network Connections Discovery

GALLIUM used netstat -oan to obtain information about the victim network connections.[1]

Enterprise T1033 System Owner/User Discovery

GALLIUM used whoami and query user to obtain information about the victim user.[1]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

GALLIUM used dumped hashes to authenticate to other machines via pass the hash.[1]

Enterprise T1078 Valid Accounts

GALLIUM leveraged valid accounts to maintain access to a victim network.[1]

Enterprise T1047 Windows Management Instrumentation

GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.[1]

Software

ID Name References Techniques
S0110 at [1] Scheduled Task/Job: At (Windows)
S0564 BlackMould [2] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Ingress Tool Transfer, System Information Discovery
S0020 China Chopper [1][2] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Network Service Scanning, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0106 cmd [1][2] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Lateral Tool Transfer, System Information Discovery
S0040 HTRAN [1][2] Process Injection, Proxy, Rootkit
S0100 ipconfig [1] System Network Configuration Discovery
S0002 Mimikatz [1][2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0590 NBTscan [1] Network Service Scanning, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0039 Net [1] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0097 Ping [1] Remote System Discovery
S0013 PlugX [1] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0012 PoisonIvy [1][2] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0029 PsExec [1][2] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0075 Reg [1] Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry
S0005 Windows Credential Editor [2] OS Credential Dumping: LSASS Memory

References