Gorgon Group APT

Gorgon Group is an advanced persistent threat (APT) group that is beleived to be based in Pakistan and has conducted targeted attacks against government organisations in the United Kingdom and other nations since February 2018.

The group has distributed malware via common URL shortening services in addition to traditional command and control domains. Infection is usually achieved via macros in fake documents and spear phishing emails that link to executable files on remote servers. The initial infection stage also attempts to disable antivirus protection and delete virus definition files. The group’s emails often have the appearance of being sent from legitimate individuals and have engaging subject lines such as political topics.

It’s worth noting that attackers use URL shortening services to avoid detection by traffic analysis solutions and these services helped researchers to track the effectiveness of Gorgon Group campaigns.

The group has used remote access trojans (RATs) and information stealers such as njRAT, NanoCore, Quasar and LokiBot in its activities. Decoy documents may automatically open on infected devices to distract users from what is happening in the background.

The subjects of the spear phishing emails were also interesting, often contained subject matter related to terrorist groups, military activity, or political topics.

  • Acting FOREIGN Minister of Pakistan
  • Invitation to lady wives of H.E. Ambassador/High Commissioner from lady wife of H.E. High Commissioner of Bangladesh
  • Pakistan eying Sukhoi-35 fighter planes as part of defense deal from Russia 2018.143
  • PG COURSE IN 2018-2021 BATCH India Bangladesh and Pakistan
  • Press Release on Observance of Historic Mujibnogor Dibosh by Pakistan Mission on 17 April 2018
  • Afghan Bomb Blast report by ISI
  • USAJOBS Daily Saved Search Results for New GS15 for 3/30/2018
  • How Rigging take place in Senate Elections in Pakistan
  • Afghan Terrorist group details ISI Restricted113
  • 1971 Liberation War Freedom Fighters in Pakistan Army Custody Database

Additionally, the following filenames were witnessed in these attacks (spelling and grammar mistakes included):

  • Liberation Freedom Fighter.xlam
  • NSC details of participants.xlam
  • Raw Sect Vikram report on Pak Army Confidential.doc
  • USA Immagration Policy for Families.ppam
  • doc
  • CV FM.doc
  • doc
  • Sukhoi35 deal report.doc
  • Nominal Roll.doc
  • Press Release 17 April.doc
  • Afghan Blast report by ISI.doc
  • Rigging in Pakistan Senate.doc
  • Afghan Terrorist group report.doc

For further technical details see here

Affected Platforms

  • ​​​​​​​Microsoft Windows – all versions

IP Addresses

115.186.136[.]237

Domain Names

For a complete updated list check here.

t2m.io
brevini-france.cf
onedrivenet.xyz
diamondfoxpanel.ml
guelphupholstery.com
acorn-paper.com
stevemikeforce.com
ocha-gidi.xyz
xyz-storez.xyz
panelonetwothree.ga
www.stemtopx.com
panelonetwothree.ml
securebotnetpanel.tk
www.fast-cargo.com
www.0-day.us
0-day.us
zupaservices.info
fast-cargo.com
stemtopx.com
stevemike-fireforce.info
www.asaigoldenrice.com
asaigoldenrice.com

Short Bitly URL’s

bit.ly/Loaloding
bit.ly/Loadingnnsa
bit.ly/2JmQLW6
bit.ly/2JsruKm
bit.ly/2GUaY49
bit.ly/Loadingnns
bit.ly/2Im2IOF
bit.ly/primeload
bit.ly/loader2018
bit.ly/2xZ1kO6wdscsac
bit.ly/2M2bIYh
bit.ly/2r9PSIv
bit.ly/Loadiendg
bit.ly/2rpmJKsrdtrdtdfysersgerstrdFCGRDR
bit.ly/2Fu4ZSfloading
bit.ly/2HloaderqVbva
bit.ly/Loardising
bit.ly/2JB3KXD
bit.ly/1_loadingH7TvJa
bit.ly/Loadijging
bit.ly/Laodiingplease
bit.ly/2HvQBirEam832ASADx
bit.ly/2I5T7b9hgvgvjcVYVY
bit.ly/paymentsuae
bit.ly/Laodingipleasewait
bit.ly/loadingxxxx
bit.ly/2Gmziko
bit.ly/2sQhJOO
bit.ly/laodinfokqaw
bit.ly/loadrinfing
bit.ly/2JaBgAS
bit.ly/2loadingqlOQcM
bit.ly/loardding
bit.ly/loidaring
bit.ly/LoadingPleaseWait
bit.ly/2HJv5Ud
bit.ly/Loading13
bit.ly/2Lzpjp1
bit.ly/tt_seafood
bit.ly/Lording
bit.ly/loadingsmins
bit.ly/2_loadingJwkhJA
bit.ly/Laodiingpleasesa
bit.ly/2tnW5lu
bit.ly/tt_loading
bit.ly/2wzkloading
bit.ly/Loadingans
bit.ly/2r9jLcQloading
bit.ly/loadingpleasewairrs
bit.ly/2arubabKmpgwP
bit.ly/2HAwzmN3290293sadjokwwadjoW
bit.ly/loadingasz
bit.ly/ntissa2vFamys
bit.ly/2IgzmRxEmasidE9kEjidlE
bit.ly/2JqmuWp
bit.ly/load242HmFqZ6
bit.ly/2L17QGqloading
bit.ly/2MarX5t
bit.ly/Loadingnix
bit.ly/2HyVGGy_loading
bit.ly/2H8euros
bit.ly/2I2mUBFstthdhtrhdtyftfyj
bit.ly/Loininding
bit.ly/2F02ZRq
bit.ly/Loadingpleasewait
bit.ly/2jE36KjhvjhgkHJHKLHGFHJ
bit.ly/Waitpleasewait
bit.ly/Loiading
bit.ly/Loadingplasewaitsm
bit.ly/2jCTHCNasiudhasdASdy7656basdu
bit.ly/loadingpleaswaitrr
bit.ly/Loadingnsi
bit.ly/2JRUNKh
bit.ly/2Hload25YdU19
bit.ly/2lording
bit.ly/2M9lLL6
bit.ly/Loggeding
bit.ly/Loadingwaitplez
bit.ly/ASDj23234j4oDj3234Sdmk
bit.ly/2JloadingspWgLs2
bit.ly/Loadingpleasewaitnn
bit.ly/2sPe3wZrdtrdytd
bit.ly/LAdooing
bit.ly/LoadIng
bit.ly/2JnMVQz
bit.ly/DocumentIsLoadingPleasewait
bit.ly/2HVD1Bh
bit.ly/2uoqexc
bit.ly/2vXgnqdASdj2929iqwSdu9iw9i
bit.ly/4_loadingEwHlnA
bit.ly/lLoadingl9
bit.ly/LlLoadinG
bit.ly/2kTPwmFdrwfdtsfdfyr
bit.ly/2G34tww
bit.ly/2HvQBir
bit.ly/golden_uae
bit.ly/pele2HROHp1
bit.ly/2rlqLDBMSloading
bit.ly/2JDUVMC
bit.ly/2K1GYVgtyfctftfTFTYFUFtufutfu
bit.ly/2Jr4dby
bit.ly/2M9I8z4
bit.ly/ASD8239ASdmkWi38AS
bit.ly/LoadingPelasewaits
bit.ly/2JnNtG7
bit.ly/shawclk2HZJXOr
bit.ly/loadijgng
bit.ly/PleaseWaitLoading
bit.ly/Loadinger
bit.ly/Workingwait
bit.ly/Loadingplzwait
bit.ly/2HuOFBQ
bit.ly/LoadingPleasewait1
bit.ly/LlOrRinding
bit.ly/Loadingwaitplzz
bit.ly/2HWdrzTgfufuyfkCTYTDFYTgtfutf
bit.ly/2KHEnRKxestrhdyhdDTDRDTRthdydy
bit.ly/unkwonas
bit.ly/Laodiingpleasewait
bit.ly/wordxchange
bit.ly/Loadsinfpleasewait
bit.ly/Loardsing
bit.ly/2ImbyrQ
bit.ly/LoadingPleasewait




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: