GALLIUM | APT Profile

Description

[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.(Citation: Cybereason Soft Cell June 2019) Security researchers have identified [GALLIUM](https://attack.mitre.org/groups/G0093) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)

Techniques Used (TTPs)

T1059.003 — Windows Command Shell (execution)
T1003.002 — Security Account Manager (credential-access)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1027 — Obfuscated Files or Information (defense-evasion)
T1553.002 — Code Signing (defense-evasion)
T1041 — Exfiltration Over C2 Channel (exfiltration)
T1005 — Data from Local System (collection)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1588.002 — Tool (resource-development)
T1047 — Windows Management Instrumentation (execution)
T1136.002 — Domain Account (persistence)
T1583.004 — Server (resource-development)
T1133 — External Remote Services (persistence, initial-access)
T1027.002 — Software Packing (defense-evasion)
T1505.003 — Web Shell (persistence)
T1003.001 — LSASS Memory (credential-access)
T1560.001 — Archive via Utility (collection)
T1059.001 — PowerShell (execution)
T1570 — Lateral Tool Transfer (lateral-movement)
T1027.005 — Indicator Removal from Tools (defense-evasion)
T1090.002 — External Proxy (command-and-control)
T1049 — System Network Connections Discovery (discovery)
T1074.001 — Local Data Staging (collection)
T1033 — System Owner/User Discovery (discovery)
T1190 — Exploit Public-Facing Application (initial-access)
T1016 — System Network Configuration Discovery (discovery)
T1105 — Ingress Tool Transfer (command-and-control)
T1018 — Remote System Discovery (discovery)
T1550.002 — Pass the Hash (defense-evasion, lateral-movement)
T1036.003 — Rename Legitimate Utilities (defense-evasion)

Total TTPs: 31

Malware & Tools

Malware: BlackMould, China Chopper, PingPull, PlugX, PoisonIvy

Tools: HTRAN, Mimikatz, NBTscan, Net, Ping, PsExec, Reg, Windows Credential Editor, at, cmd, ipconfig

← Return to Home ← Back to APT Search