The company said Thursday the Gallmaker group uses publicly available hacking tools and “living off the land“ techniques to access targeted computers and avoid detection by traditional security platforms.
The group infiltrates a network by sending a Microsoft Office document that attempts to exploit the Microsoft Office Dynamic Data Exchange protocol and deploying several tools such as WindowsRoamingToolsTask, Rex PowerShell library and a legitimate version of the WinZip console.
“Gallmaker bears the hallmarks of a highly targeted cyber espionage campaign supported by a nation-state,“ said Symantec CEO Greg Clark.
The company discovered the group using its Targeted Attack Analytics platform built to detect security threats through artificial intelligence and machine learning.
Symantec said it detected in June the recent activity of Gallmaker, which has been operational since December 2017.