A team of researchers from the Microsoft Threat Intelligence Center (MSTIC) has warned of an ongoing attacks by the GALLIUM cybercriminal group targeting telecommunication providers in Southeast Asia, Europe and Africa. Attackers exploit vulnerabilities in the WildFly open source application server (formerly JBoss Application Server).
After penetrating the company’s network, these criminals begin to collect credentials using common tools and TTP (tactics, methods and procedures). They use compromised credentials and the PsExec utility to move around the network and execute processes on other systems.
“Operators rely on a cheap and easily replaceable infrastructure, which consists of DNS domains and reusable transition points,” the researchers explained.
Among the GALLIUM tools identified by experts during past campaigns are HTRAN (packet forwarding), Mimikatz and Windows Credential Editor (restoration of authorization tokens), NBTScan (for finding NETBIOS DNS servers on a local or remote network), Netcat (reading and writing using TCP or UDP protocols), PsExec (remote execution of commands on the system), as well as WinRAR.
Using web shells, criminals provide persistence on the target system and deliver the payload.
In addition to the China Chopper backdoor, the group uses the BlackMould web shell created on its basis for various purposes and tasks, including finding local disks, performing basic file operations, setting file attributes, exfiltrating and deleting files, and executing malicious commands on compromised devices .
Sometimes in the second stage, the group downloads modified versions of the Gh0st RAT and Poison Ivy malware designed to prevent detection.
As experts noted, instead of developing their own malicious programs, GALLIUM modified other people’s tools to increase the effectiveness of attacks.