Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.^[1]

ID: G0084

Version: 1.1

Created: 30 January 2019

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Gallmaker has used WinZip, likely to archive data prior to exfiltration.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Gallmaker used PowerShell to download additional payloads and for execution.^[1]
Enterprise	T1559	.002	Inter-Process Communication: Dynamic Data Exchange	Gallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution.^[1]
Enterprise	T1027		Obfuscated Files or Information	Gallmaker obfuscated shellcode used during execution.^[1]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Gallmaker sent emails with malicious Microsoft Office documents attached.^[1]
Enterprise	T1204	.002	User Execution: Malicious File	Gallmaker sent victims a lure document with a warning that asked victims to "enable content" for execution.^[1]

References

Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.

Gallmaker

Enterprise Layer

Techniques Used

References