At present, the Microsoft Threat Intelligence Center (MSTIC) found in the gradual understanding of the behavior of GALLIUM hacking organizations that its target is telecommunications vendors. In order to damage its target network, GALLIUM uses vulnerabilities in WildFly/JBoss to attack unrepaired network services.
GALLIUM’s behavior is active, especially from 2018 to 2019. Once the attacker has compromised the target network, they will use common technology such as Mimikatz to steal available credentials. Experts point out that GALLIUM is currently using some common versions of software and some tools that are publicized. This tool can only be used to evade detection with only minor changes. Operators take advantage of low-cost and easily replaceable infrastructure, using dynamic DNS domains and hops for regular reuse.
The hacker group will also provide personalized Gh0st RAT and Poison Ivy service versions, both of which will modify the software’s use of communication methods. Hackers also use QuarkBandit as second-level malware, which experts say has a modified Gh0st RAT variant with configuration options and encryption. Recently, researchers also observed that GALLIUM uses a VPN for persistent network access.