Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]

ID: G0078
Version: 1.4
Created: 17 October 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1547 .009 Boot or Logon Autostart Execution: Shortcut Modification

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]

.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[1]

.001 Command and Scripting Interpreter: PowerShell

Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[1]

.005 Command and Scripting Interpreter: Visual Basic

Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[1]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.[1]

Enterprise T1105 Ingress Tool Transfer

Gorgon Group malware can download additional files from C2 servers.[1]

Enterprise T1112 Modify Registry

Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.[1]

Enterprise T1106 Native API

Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.[1]

Enterprise T1055 .002 Process Injection: Portable Executable Injection

Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.[1]

.012 Process Injection: Process Hollowing

Gorgon Group malware can use process hollowing to inject one of its trojans into another process.[1]

Enterprise T1204 .002 User Execution: Malicious File

Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.[1]

Software

ID Name References Techniques
S0336 NanoCore

[1]

Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, System Network Configuration Discovery, Video Capture
S0385 njRAT

[1]

Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Peripheral Device Discovery, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0262 QuasarRAT

[1]

Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Proxy, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, Unsecured Credentials: Credentials In Files, Video Capture
S0332 Remcos

[1]

Abuse Elevation Control Mechanism: Bypass User Access Control, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Python, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection, Proxy, Screen Capture, Video Capture, Virtualization/Sandbox Evasion: System Checks

References