1. Home
  2. Groups
  3. Gorgon Group

Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]

ID: G0078
Version: 1.5
Created: 17 October 2018
Last Modified: 12 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 修改注册表

Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.[1]
Enterprise T1140 反混淆/解码文件或信息

Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]
.009 启动或登录自动启动执行: Shortcut Modification

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[1]
.003 命令与脚本解释器: Windows Command Shell

Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[1]
.005 命令与脚本解释器: Visual Basic

Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.[1]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.[1]
Enterprise T1106 本机API

Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[1]
Enterprise T1204 .002 用户执行: Malicious File

Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.[1]
Enterprise T1588 .002 获取能力: Tool

Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.[1]
Enterprise T1105 输入工具传输

Gorgon Group malware can download additional files from C2 servers.[1]
Enterprise T1055 .002 进程注入: Portable Executable Injection

Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.[1]
.012 进程注入: Process Hollowing

Gorgon Group malware can use process hollowing to inject one of its trojans into another process.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.[1]
Enterprise T1564 .003 隐藏伪装: Hidden Window

Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [1]

Software

ID Name References Techniques
S0336 NanoCore [1] 修改注册表, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: Visual Basic, 妨碍防御: Disable or Modify System Firewall, 妨碍防御: Disable or Modify Tools, 混淆文件或信息, 系统网络配置发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 音频捕获
S0385 njRAT [1] 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 修改注册表, 动态解析: Fast Flux DNS, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 妨碍防御: Disable or Modify System Firewall, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Compile After Delivery, 移除指标: File Deletion, 移除指标: Clear Persistence, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 远程系统发现, 通过C2信道渗出, 通过可移动媒体复制, 非标准端口
S0262 QuasarRAT [1] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从本地系统获取数据, 代理, 修改注册表, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 未加密凭证: Credentials In Files, 滥用权限提升控制机制: Bypass User Account Control, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 远程服务: Remote Desktop Protocol, 隐藏伪装: Hidden Window, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 非标准端口, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S0332 Remcos [1] 代理, 修改注册表, 剪贴板数据, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 文件和目录发现, 混淆文件或信息, 滥用权限提升控制机制: Bypass User Account Control, 虚拟化/沙盒规避: System Checks, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程注入, 音频捕获

References

  1. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.