By 
Microsoft has published a report specifying activity by a new threat group, Gallium, in line with the company’s internal exercise of assigning chemical elements to hackers and cybercriminals around the world.
Gallum was earlier spotted and reported by Cybereason researchers, who dub the threat Operation Soft Cell in one of their findings.
In 2018, investigators recognized an unconventional, persistent attack aiming at telecommunications providers and using methods linked with Chinese-affiliated threat actors.
Investigators report the assailants, thought to be active since 2012, was trying to steal data stored in Active Directory, affect credentials, and access personally identifiable information, billing data, call records, email servers, and users’ geolocations.
The majority of Gallium’s activity, which chiefly attacked telecommunication providers, was noticed throughout 2018 into mid-2019. They say that while the group is still an active threat, its activity levels have tumbled in comparison to what they saw previously in their research.
To gain access into a target network, the threat group notices and exploits Internet-facing services. The group has been spotted abusing unpatched Web services; for example, WildFly/JBoss, for which exploits are extensively accessible. While it’s often difficult to find a group’s investigation methods, Miscrosoft says Gallium’s aiming of Internet-facing services is a sign the group uses open-source research and network scanning tools to locate its new targets.
Investigators highlight that Gallium does little to conceal its intent and often uses common forms of malware and openly available toolkits with minor alterations. The group has used the Poison Ivy RAT, which is widely accessible, and QuarkBandit, an altered version of Gh0st RAT. Poison Ivy RAT, Gh0st RAT, and the China Chopper Web shell are the foundation of its toolkit.
Gallium generally uses dynamic DNS subdomains for its C2 infrastructure. Evaluation shows the group tends to favor affordable, low-effort processes, as specified by its use of dynamic DNS providers instead of recorded domains.
