Gorgon Group is an advanced persistent threat (APT) group that is beleived to be based in Pakistan and has conducted targeted attacks against government organisations in the United Kingdom and other nations since February 2018.
The group has distributed malware via common URL shortening services in addition to traditional command and control domains. Infection is usually achieved via macros in fake documents and spear phishing emails that link to executable files on remote servers. The initial infection stage also attempts to disable antivirus protection and delete virus definition files. The group’s emails often have the appearance of being sent from legitimate individuals and have engaging subject lines such as political topics.
It’s worth noting that attackers use URL shortening services to avoid detection by traffic analysis solutions and these services helped researchers to track the effectiveness of Gorgon Group campaigns.
The group has used remote access trojans (RATs) and information stealers such as njRAT, NanoCore, Quasar and LokiBot in its activities. Decoy documents may automatically open on infected devices to distract users from what is happening in the background.
The subjects of the spear phishing emails were also interesting, often contained subject matter related to terrorist groups, military activity, or political topics.
- Acting FOREIGN Minister of Pakistan
- Invitation to lady wives of H.E. Ambassador/High Commissioner from lady wife of H.E. High Commissioner of Bangladesh
- Pakistan eying Sukhoi-35 fighter planes as part of defense deal from Russia 2018.143
- PG COURSE IN 2018-2021 BATCH India Bangladesh and Pakistan
- Press Release on Observance of Historic Mujibnogor Dibosh by Pakistan Mission on 17 April 2018
- Afghan Bomb Blast report by ISI
- USAJOBS Daily Saved Search Results for New GS15 for 3/30/2018
- How Rigging take place in Senate Elections in Pakistan
- Afghan Terrorist group details ISI Restricted113
- 1971 Liberation War Freedom Fighters in Pakistan Army Custody Database
Additionally, the following filenames were witnessed in these attacks (spelling and grammar mistakes included):
- Liberation Freedom Fighter.xlam
- NSC details of participants.xlam
- Raw Sect Vikram report on Pak Army Confidential.doc
- USA Immagration Policy for Families.ppam
- CV FM.doc
- Sukhoi35 deal report.doc
- Nominal Roll.doc
- Press Release 17 April.doc
- Afghan Blast report by ISI.doc
- Rigging in Pakistan Senate.doc
- Afghan Terrorist group report.doc
For further technical details see here
- Microsoft Windows – all versions
For a complete updated list check here.
Short Bitly URL’s
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.