Currently viewing ATT&CK v10.1 which was live between October 21, 2021 and April 24, 2022. Learn more about the versioning system or see the live site.
  1. Home
  2. Groups
  3. Gorgon Group

Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]

ID: G0078
Version: 1.5
Created: 17 October 2018
Last Modified: 12 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]
.009 Boot or Logon Autostart Execution: Shortcut Modification

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.[1]
.003 Command and Scripting Interpreter: Windows Command Shell

Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[1]
.005 Command and Scripting Interpreter: Visual Basic

Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[1]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [1]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.[1]
Enterprise T1105 Ingress Tool Transfer

Gorgon Group malware can download additional files from C2 servers.[1]
Enterprise T1112 Modify Registry

Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.[1]
Enterprise T1106 Native API

Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[1]
Enterprise T1588 .002 Obtain Capabilities: Tool

Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.[1]
Enterprise T1055 .002 Process Injection: Portable Executable Injection

Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.[1]
.012 Process Injection: Process Hollowing

Gorgon Group malware can use process hollowing to inject one of its trojans into another process.[1]
Enterprise T1204 .002 User Execution: Malicious File

Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.[1]

Software

ID Name References Techniques
S0336 NanoCore [1] Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, System Network Configuration Discovery, Video Capture
S0385 njRAT [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0262 QuasarRAT [1] Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Proxy, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, Unsecured Credentials: Credentials In Files, Video Capture
S0332 Remcos [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Python, File and Directory Discovery, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection, Proxy, Screen Capture, Video Capture, Virtualization/Sandbox Evasion: System Checks

References

  1. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.