The company said Thursday the Gallmaker group uses publicly available hacking tools and â€œliving off the landâ€ techniques to access targeted computers and avoid detection by traditional security platforms.
The group infiltrates a network by sending a Microsoft Office documentÂ that attempts to exploit the Microsoft Office Dynamic Data Exchange protocol and deploying several tools such as WindowsRoamingToolsTask, Rex PowerShell library and a legitimate version of the WinZip console.
â€œGallmaker bears the hallmarks of a highly targeted cyber espionage campaign supported by a nation-state,â€ said Symantec CEO Greg Clark.
The company discovered the group using its Targeted Attack Analytics platform built to detect security threats through artificial intelligence and machine learning.
Symantec said it detected in June the recent activity of Gallmaker, which has been operational since December 2017.