Threat Management, Threat Management, Threat Intelligence, Malware, Phishing

Worst of both words: ‘Gorgon’ hackers practice both general cybercrime and targeted government attacks


A hacking group apparently based in Pakistan has been straddling the fence between cybercriminal activity and nation-state espionage, leveraging the same malicious infrastructure to both launch email spam campaigns and target government agencies in  U.S., UK, Russia and Spain.

The threat actor, dubbed Gorgon Group by Palo Alto Networks Unit 42 researchers who have been tracking the collective, in comprised of at least five separate units operating individually. This includes the group Subaat, which in 2017 launched a phishing campaign targeting a U.S. government organizatino in a campaign to deliver QuasarRAT via the vulnerability CVE-2012-0158 and the Crimson Downloader.

In an Aug. 2 blog post, Unit 42 reported its discovery of a new wave of targeted attacks that Gorgon launched against government organizations throughout the world, starting in early 2018. This campaign employed spear phishing emails leveraging Word documents exploiting the Microsoft Office/WordPad remote code execution vulnerability CVE-2017-0199.

These emails would purport to come from seemingly credible individuals like a Pakistani military officer, and feature subject lines bearing political or military news topics. (e.g. Afghan Bomb Blast report by ISI" and "Pakistan eying Sukhoi-35 fighter planes as part of defense deal from Russia 2018.143."

Final payloads delivered during this campaign included various remote access trojans such as NanoCoreRAT, QuasarRAT and NJRAT.

At the same time period, Gorgon also engaged in less targeted malspam campaigns, featuring phishing emails sent to a wide array industries, typically with lures pertaining to purchase orders of the SWIFT banking messaging service. The most common payloads delivered in these attacks were NJRAT, RevengeRAT, the information stealer LokiBot, RemcosRAT and NanoCoreRAT.

"Using numerous decoy documents and phishing emails, both styles of attacks lacked overall sophistication, but the effectiveness of this group and campaign cannot be denied," Unit 42's blog post stated.

Gorgon's cybercriminal and cyber espionage campaigns have shared numerous traits -- among them, the use of Bitly URL shorteners. According to Palo Alto Networks, the most recent cybercriminal campaign has generated more than than 132,800 Bitly clicks from mid-February through Aug. 2. Other commonalities include malware payloads, the command-and-control infrastructure, and even the presence of several operational security flaws that helped the researchers gain better insight into the attacks and the composition of Gorgon.

Palo Alto Networks singled out one particular Gorgon members, nicknamed "fudpages," who is linked to a Microsoft Word doc designed to download malware from recently added domain, whose WHOIS record includes a Pakistani address. Further investigation led to the discovery of two additional domains using the term Fudpage. The researchers since concluded that Fudpage "appears to be a small marketplace selling bulletproof hosting, RDP sessions, fake documents and a litany of additional malicious wares," said the blog post.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.