A hacking group apparently based in Pakistan has been straddling the fence between cybercriminal activity and nation-state espionage, leveraging the same malicious infrastructure to both launch email spam campaigns and target government agencies in U.S., UK, Russia and Spain.
The threat actor, dubbed Gorgon Group by Palo Alto Networks Unit 42 researchers who have been tracking the collective, in comprised of at least five separate units operating individually. This includes the group Subaat, which in 2017 launched a phishing campaign targeting a U.S. government organizatino in a campaign to deliver QuasarRAT via the vulnerability CVE-2012-0158 and the Crimson Downloader.
In an Aug. 2 blog post, Unit 42 reported its discovery of a new wave of targeted attacks that Gorgon launched against government organizations throughout the world, starting in early 2018. This campaign employed spear phishing emails leveraging Word documents exploiting the Microsoft Office/WordPad remote code execution vulnerability CVE-2017-0199.
These emails would purport to come from seemingly credible individuals like a Pakistani military officer, and feature subject lines bearing political or military news topics. (e.g. Afghan Bomb Blast report by ISI" and "Pakistan eying Sukhoi-35 fighter planes as part of defense deal from Russia 2018.143."
Final payloads delivered during this campaign included various remote access trojans such as NanoCoreRAT, QuasarRAT and NJRAT.
At the same time period, Gorgon also engaged in less targeted malspam campaigns, featuring phishing emails sent to a wide array industries, typically with lures pertaining to purchase orders of the SWIFT banking messaging service. The most common payloads delivered in these attacks were NJRAT, RevengeRAT, the information stealer LokiBot, RemcosRAT and NanoCoreRAT.
"Using numerous decoy documents and phishing emails, both styles of attacks lacked overall sophistication, but the effectiveness of this group and campaign cannot be denied," Unit 42's blog post stated.
Gorgon's cybercriminal and cyber espionage campaigns have shared numerous traits -- among them, the use of Bitly URL shorteners. According to Palo Alto Networks, the most recent cybercriminal campaign has generated more than than 132,800 Bitly clicks from mid-February through Aug. 2. Other commonalities include malware payloads, the command-and-control infrastructure, and even the presence of several operational security flaws that helped the researchers gain better insight into the attacks and the composition of Gorgon.
Palo Alto Networks singled out one particular Gorgon members, nicknamed "fudpages," who is linked to a Microsoft Word doc designed to download malware from recently added domain, whose WHOIS record includes a Pakistani address. Further investigation led to the discovery of two additional domains using the term Fudpage. The researchers since concluded that Fudpage "appears to be a small marketplace selling bulletproof hosting, RDP sessions, fake documents and a litany of additional malicious wares," said the blog post.
