G0084 Gallmaker
Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.1
| Item | Value |
|---|---|
| ID | G0084 |
| Associated Names | |
| Version | 1.1 |
| Created | 30 January 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Gallmaker has used WinZip, likely to archive data prior to exfiltration.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Gallmaker used PowerShell to download additional payloads and for execution.1 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.002 | Dynamic Data Exchange | Gallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution.1 |
| enterprise | T1027 | Obfuscated Files or Information | Gallmaker obfuscated shellcode used during execution.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Gallmaker sent emails with malicious Microsoft Office documents attached.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Gallmaker sent victims a lure document with a warning that asked victims to “enable content” for execution.1 |