G0078 Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. ¹

Item	Value
ID	G0078
Associated Names
Version	1.5
Created	17 October 2018
Last Modified	12 October 2021
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1547	Boot or Logon Autostart Execution	-
enterprise	T1547.001	Registry Run Keys / Startup Folder	Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.¹
enterprise	T1547.009	Shortcut Modification	Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.¹
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.001	PowerShell	Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.¹
enterprise	T1059.003	Windows Command Shell	Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.¹
enterprise	T1059.005	Visual Basic	Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.¹
enterprise	T1140	Deobfuscate/Decode Files or Information	Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.¹
enterprise	T1564	Hide Artifacts	-
enterprise	T1564.003	Hidden Window	Gorgon Group has used `-W Hidden` to conceal PowerShell windows by setting the WindowStyle parameter to hidden. ¹
enterprise	T1562	Impair Defenses	-
enterprise	T1562.001	Disable or Modify Tools	Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the `taskkill` command.¹
enterprise	T1105	Ingress Tool Transfer	Gorgon Group malware can download additional files from C2 servers.¹
enterprise	T1112	Modify Registry	Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under `HKCU\Software\Microsoft\Office\`.¹
enterprise	T1106	Native API	Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.¹
enterprise	T1588	Obtain Capabilities	-
enterprise	T1588.002	Tool	Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.¹
enterprise	T1566	Phishing	-
enterprise	T1566.001	Spearphishing Attachment	Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.¹
enterprise	T1055	Process Injection	-
enterprise	T1055.002	Portable Executable Injection	Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.¹
enterprise	T1055.012	Process Hollowing	Gorgon Group malware can use process hollowing to inject one of its trojans into another process.¹
enterprise	T1204	User Execution	-
enterprise	T1204.002	Malicious File	Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.¹

Software

ID	Name	References	Techniques
S0336	NanoCore	¹	Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Disable or Modify Tools:Impair Defenses Disable or Modify System Firewall:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information System Network Configuration Discovery Video Capture
S0385	njRAT	¹	Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Compile After Delivery:Obfuscated Files or Information Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture
S0262	QuasarRAT	¹	Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Data from Local System Symmetric Cryptography:Encrypted Channel Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Modify Registry Non-Application Layer Protocol Non-Standard Port Proxy Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Credentials In Files:Unsecured Credentials Video Capture
S0332	Remcos	¹	Bypass User Account Control:Abuse Elevation Control Mechanism Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Process Injection Proxy Screen Capture Video Capture System Checks:Virtualization/Sandbox Evasion

G0078 Gorgon Group

Techniques Used

Software

References