Group description: Gorgon Group

attack.mitre.org · MITRE ATT&CK · 20 hours ago · news
quality 2/10 · low quality
0 net
Tags
cybersecurity mitre
Gorgon Group, Group G0078 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Gorgon Group Gorgon Group Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1] ID: G0078 Version : 1.5 Created: 17 October 2018 Last Modified: 25 April 2025 Version Permalink Live Version ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1547 .001 Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence. [1] .009 Boot or Logon Autostart Execution : Shortcut Modification Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence. [1] Enterprise T1059 .001 Command and Scripting Interpreter : PowerShell Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victim’s machine. [1] .003 Command and Scripting Interpreter : Windows Command Shell Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system. [1] .005 Command and Scripting Interpreter : Visual Basic Gorgon Group has used macros in Spearphishing Attachment s as well as executed VBScripts on victim machines. [1] Enterprise T1140 Deobfuscate/Decode Files or Information Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file. [1] Enterprise T1564 .003 Hide Artifacts : Hidden Window Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [1] Enterprise T1562 .001 Impair Defenses : Disable or Modify Tools Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command. [1] Enterprise T1105 Ingress Tool Transfer Gorgon Group malware can download additional files from C2 servers. [1] Enterprise T1112 Modify Registry Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\ . [1] Enterprise T1106 Native API Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution. [1] Enterprise T1588 .002 Obtain Capabilities : Tool Gorgon Group has obtained and used tools such as QuasarRAT and Remcos . [1] Enterprise T1566 .001 Phishing : Spearphishing Attachment Gorgon Group sent emails to victims with malicious Microsoft Office documents attached. [1] Enterprise T1055 .002 Process Injection : Portable Executable Injection Gorgon Group malware can download a remote access tool, ShiftyBug , and inject into another process. [1] .012 Process Injection : Process Hollowing Gorgon Group malware can use process hollowing to inject one of its trojans into another process. [1] Enterprise T1204 .002 User Execution : Malicious File Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails. [1] Software ID Name References Techniques S0336 NanoCore [1] Audio Capture , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Command and Scripting Interpreter : Visual Basic , Encrypted Channel : Symmetric Cryptography , Impair Defenses : Disable or Modify System Firewall , Impair Defenses : Disable or Modify Tools , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Obfuscated Files or Information , System Network Configuration Discovery , Video Capture S0385 njRAT [1] Application Layer Protocol : Web Protocols , Application Window Discovery , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : PowerShell , Command and Scripting Interpreter : Windows Command Shell , Credentials from Password Stores : Credentials from Web Browsers , Data Encoding : Standard Encoding , Data from Local System , Dynamic Resolution : Fast Flux DNS , Exfiltration Over C2 Channel , File and Directory Discovery , Impair Defenses : Disable or Modify System Firewall , Indicator Removal : File Deletion , Indicator Removal : Clear Persistence , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Native API , Non-Standard Port , Obfuscated Files or Information : Encrypted/Encoded File , Obfuscated Files or Information : Compile After Delivery , Peripheral Device Discovery , Process Discovery , Query Registry , Remote Services : Remote Desktop Protocol , Remote System Discovery , Replication Through Removable Media , Screen Capture , System Information Discovery , System Owner/User Discovery , Video Capture S0262 QuasarRAT [1] Abuse Elevation Control Mechanism : Bypass User Account Control , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores , Data from Local System , Encrypted Channel : Symmetric Cryptography , Hide Artifacts : Hidden Window , Hide Artifacts : Hidden Files and Directories , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Non-Application Layer Protocol , Non-Standard Port , Proxy , Remote Services : Remote Desktop Protocol , Scheduled Task/Job : Scheduled Task , Subvert Trust Controls : Code Signing , System Information Discovery , System Location Discovery , System Network Configuration Discovery , System Owner/User Discovery , Unsecured Credentials : Credentials In Files , Video Capture S0332 Remcos [1] Abuse Elevation Control Mechanism : Bypass User Account Control , Audio Capture , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Clipboard Data , Command and Scripting Interpreter : Python , Command and Scripting Interpreter : Windows Command Shell , File and Directory Discovery , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Obfuscated Files or Information , Process Injection , Proxy , Screen Capture , Video Capture , Virtualization/Sandbox Evasion : System Checks References Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. × load more results
← Back to stories