This article is more than 1 year old

Who needs custom malware? 'Govt-backed' Gallmaker spy crew uses off-the-shelf wares

Likely state hackers make do with 'living off the land' and going after tardy Office patchers

A newly discovered spy gang is eschewing boutique attack tools to instead use publicly available exploits against unpatched systems.

Known as Gallmaker, the cyber-espionage group is said to be targeting the embassies of an unnamed eastern European country and military defense installations in the Middle East. According to researchers at Symantec today, the crew has been operating since December of last year, relying entirely on code scraped from the public internet. We're told the gang are "likely" to be backed by an unnamed government.

"This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign," Symantec claimed.

"The most interesting aspect of Gallmaker’s approach is that the group doesn’t use malware in its operations. Rather, the attack activity we observed is carried out exclusively using LotL tactics and publicly available hack tools."

According to Symantec, the group feeds booby-trapped Microsoft Office documents to victims via email. These files, when opened, launch PowerShell scripts via Redmond's much decried Dynamic Data Exchange (DDE) protocol. These scripts then open up connections to a remote control server, and from there, the attackers hope to siphon data from the infected machines and, in some cases, delete files to cover their tracks.

Note that these scripts exploit vulnerabilities in DDE that Microsoft patched in 2017 – so if you're up to date with your software, or better, turned off DDE support, you're all good for now. It's possible that the code could run anyway, even if you're patched, but only if a user or admin overrides the fix. In short, don't enable DDE, and don't allow users to reenable it.


Watch out for Microsoft Word DDE nasties: Now Freddie Mac menaced


Because the group appears to be targeting a specific country's embassies and a set of defense targets in the Middle East, Symantec believes the operation to be state-sponsored espionage.

"Gallmaker’s activity has been quite consistent since we started tracking it," Symantec said.

"The group has carried out attacks most months since December 2017. Its activity subsequently increased in the second quarter of 2018, with a particular spike in April 2018."

While the group is not using custom attack tools purpose built malware, researchers say that Gallmaker is in its own way a highly sophisticated operation.

By relying on publicly available tools, the group makes itself harder to detect in the wild and difficult to distinguish from "regular" cybercrime activity or even legitimate data traffic. Symantec said it only caught on to the group after noticing the suspicious PowerShell commands used to communicate with the control servers.

Researchers have been warning about the lowered barrier of entry for online espionage. Countries that were not thought to have the resources for sophisticated attacks have been able to repurpose other countries' tools or use public malware and leaked exploits for their own ends. ®

More about


Send us news

Other stories you might like