Security researchers observed a new attack group known as Gallmaker using living-off-the-land (LotL) tactics in an extensive espionage campaign.

According to Symantec, the attackers targeted several embassies of an Eastern European country, defense targets in the Middle East, and other government and military targets. The threat group — which has been in operation since at least December 2017 — did not use malware as part of its most recent activity. Instead, it employed LotL tactics and publicly available hacking tools.

In the campaigns discovered by Symantec, Gallmaker sent out spear phishing emails with malicious attachments. These documents abused the Microsoft Office Dynamic Data Exchange (DDE) protocol to compromise recipients’ machines. The attackers then leveraged that access to spy on their victims by remotely executing commands in memory, including the use of WindowsRoamingToolsTask to schedule PowerShell scripts and a “reverse_tcp” reverse shell payload from Metasploit.

A Surge in Living-off-the-Land Tactics

Gallmaker isn’t the only group that has used LotL tactics in recent months. In fact, Symantec researchers witnessed a surge in these techniques dating back to at least July 2017.

At the time, they identified four main categories of LotL attacks, including the abuse of dual-use tools such as PsExec and the emergence of memory-only threats that may achieve fileless persistence. Symantec also noted that those behind the June 2017 Petya outbreak had lived off the land as a means to infect organizations around the world.

How to Defend Against Gallmaker Attacks

Security professionals can protect their organizations against Gallmaker’s campaigns by establishing a consistent software patching program that prioritizes vulnerabilities based on their assessed risk. Security teams should also adhere to the principle of layered security and implement next-generation endpoint protection tools to defend against fileless malware.

Sources: Symantec, Symantec(1)