Skip to content

G0078 Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. 1

Item Value
ID G0078
Associated Names
Version 1.5
Created 17 October 2018
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.1
enterprise T1547.009 Shortcut Modification Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.1
enterprise T1059.003 Windows Command Shell Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.1
enterprise T1059.005 Visual Basic Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.1
enterprise T1140 Deobfuscate/Decode Files or Information Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. 1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.1
enterprise T1105 Ingress Tool Transfer Gorgon Group malware can download additional files from C2 servers.1
enterprise T1112 Modify Registry Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.1
enterprise T1106 Native API Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.1
enterprise T1055 Process Injection -
enterprise T1055.002 Portable Executable Injection Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.1
enterprise T1055.012 Process Hollowing Gorgon Group malware can use process hollowing to inject one of its trojans into another process.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.1

Software

ID Name References Techniques
S0336 NanoCore - Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Disable or Modify Tools:Impair Defenses Disable or Modify System Firewall:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information System Network Configuration Discovery Video Capture
S0385 njRAT - Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal on Host Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Obfuscated Files or Information Compile After Delivery:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture
S0262 QuasarRAT - Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Proxy Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery Credentials In Files:Unsecured Credentials Video Capture
S0332 Remcos - Bypass User Account Control:Abuse Elevation Control Mechanism Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter Python:Command and Scripting Interpreter File and Directory Discovery Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Process Injection Proxy Screen Capture Video Capture System Checks:Virtualization/Sandbox Evasion

References

Back to top