Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]

ID: G0078
Version: 1.3

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[1]

Enterprise T1089 Disabling Security Tools

Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.[1]

Enterprise T1106 Execution through API

Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[1]

Enterprise T1143 Hidden Window

Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden.[1]

Enterprise T1112 Modify Registry

Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.[1]

Enterprise T1086 PowerShell

Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[1]

Enterprise T1093 Process Hollowing

Gorgon Group malware can use process hollowing to inject one of its trojans into another process.[1]

Enterprise T1055 Process Injection

Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]

Enterprise T1105 Remote File Copy

Gorgon Group malware can download additional files from C2 servers.[1]

Enterprise T1064 Scripting

Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.[1]

Enterprise T1023 Shortcut Modification

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]

Enterprise T1193 Spearphishing Attachment

Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.[1]

Enterprise T1065 Uncommonly Used Port

Gorgon Group has used a variant of ShiftyBug that communicates with its C2 server over port 6666.[1]

Enterprise T1204 User Execution

Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.[1]

Software

ID Name References Techniques
S0336 NanoCore [1] Audio Capture, Command-Line Interface, Disabling Security Tools, Input Capture, Modify Registry, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Standard Cryptographic Protocol, System Network Configuration Discovery, Uncommonly Used Port, Video Capture
S0385 njRAT [1] Application Window Discovery, Command-Line Interface, Credentials from Web Browsers, Custom Command and Control Protocol, Data Encoding, Data from Local System, Disabling Security Tools, File and Directory Discovery, File Deletion, Input Capture, Modify Registry, Peripheral Device Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Uncommonly Used Port, Video Capture
S0262 QuasarRAT [1] Code Signing, Command-Line Interface, Connection Proxy, Credential Dumping, Credentials from Web Browsers, Credentials in Files, Input Capture, Masquerading, Modify Registry, Remote Desktop Protocol, Remote File Copy, Scheduled Task, Standard Cryptographic Protocol, System Information Discovery, Video Capture
S0332 Remcos [1] Audio Capture, Bypass User Account Control, Clipboard Data, Command-Line Interface, Connection Proxy, File and Directory Discovery, Input Capture, Modify Registry, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Scripting, Video Capture, Virtualization/Sandbox Evasion

References