Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]

ID: G0078
Version: 1.5
Created: 17 October 2018
Last Modified: 12 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]

.009 Boot or Logon Autostart Execution: Shortcut Modification

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[1]

.005 Command and Scripting Interpreter: Visual Basic

Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[1]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.[1]

Enterprise T1105 Ingress Tool Transfer

Gorgon Group malware can download additional files from C2 servers.[1]

Enterprise T1112 Modify Registry

Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.[1]

Enterprise T1106 Native API

Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.[1]

Enterprise T1055 .002 Process Injection: Portable Executable Injection

Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.[1]

.012 Process Injection: Process Hollowing

Gorgon Group malware can use process hollowing to inject one of its trojans into another process.[1]

Enterprise T1204 .002 User Execution: Malicious File

Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.[1]

Software

ID Name References Techniques
S0336 NanoCore [1] Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Encrypted Channel: Symmetric Cryptography, Impair Defenses: Disable or Modify System Firewall, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, System Network Configuration Discovery, Video Capture
S0385 njRAT [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: File Deletion, Indicator Removal: Clear Persistence, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0262 QuasarRAT [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data from Local System, Encrypted Channel: Symmetric Cryptography, Hide Artifacts: Hidden Window, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Non-Application Layer Protocol, Non-Standard Port, Proxy, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, System Location Discovery, System Network Configuration Discovery, System Owner/User Discovery, Unsecured Credentials: Credentials In Files, Video Capture
S0332 Remcos [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection, Proxy, Screen Capture, Video Capture, Virtualization/Sandbox Evasion: System Checks

References