Cybercriminals seeking to avoid detection by antimalware defenses have increasingly begun using legitimate hacking tools and tactics — in addition to their own malware — to break into enterprise networks and literally hide in plain sight. Now a new and likely state-sponsored threat group has emerged that isn’t using any custom malware at all.
Instead, the group is exclusively relying on publicly available hacking tools and living-off-the-land tactics to conduct an especially stealthy and hard-to-detect cyber espionage campaign.
Symantec, which was the first to spot the group, has named it Gallmaker.
The group’s modus operandi has been to send Office lure documents to individuals at targeted organizations which when opened give the attackers a way to remotely execute commands in the victim system’s memory using Microsoft’s Office Dynamic Data Exchange (DDE) protocol.
Once on a system, the attackers have then been executing various tools in memory on the victim system, making their activities hard to spot and to stop.
Read more: Dark Reading