<— Back

The Gorgon-tuan Odyssey: RATting Out a Pakistani APT Group

11:55 – 12:25(SGT) Thursday 3 December, 2020

Gorgon was one of the first APT groups to latch on to the Covid-19 theme in its campaigns. We recently discovered two different spearphishing-triggered campaigns targeting theMSME (Micro, Small and Medium Enterprises) sector within India, resulting in the payload delivery of encrypted binaries of the Formbook, NetWire RAT, Agent Tesla, AsyncRAT and others from the group’s entire repository of RATs. It was also one among the few APT groups to first use the most prominent downloader of 2020, the GuLoader (a.k.a CloudEyE), and custom cryptors like Habib Crypter (sold in hacking forums) to evade deeper scrutiny by security software.

Gorgon is a group of threat actors suspected to be based in Pakistan. It is well known for both targeted attacks and mass campaigns. Its target list is vast, including government agencies of the United States, UK, Spain, Russia (inferred based on social engineering themes related to military, political and terrorist groups) in addition to India’s MSME sector.

This group has been constantly honing its skills over the years by choreographing increasingly sophisticated techniques to complicate analysis such as anti-attach methods by patching ntdll!DbgBreakPoint / ntdll!DbgUiRemoteBreakin and using ZwSetInformationThread, and to circumvent detection by unhooking the user-mode hooks of monitoring software. It has also begun to employ anti-emulation tricks such as using cpuid and rdtsc instructions, and anti-VM tricks such as hash matching of window classes like VBoxTraytoolWndclass. Finally, by abusing commonly-used cloud storage such as

GoogleDrive, Microsoft OneDrive, Discord CDN, the group’s ability to penetrate gateway protection to deliver its payloads has improved.

This paper presents a comprehensive analysis of the entire gamut of Gorgon’s operations, uncovering the TTPs leveraged and the tools and infrastructure used in its campaigns, thus providing deep insights into the group’s modus operandi. Along the way we shall cover the current and future geographical targets of the group, the industry sectors that have been targeted, details of the C&Cs used, and the artefacts related to document macros and URL patterns. We shall present an account of our efforts to track down individual Gorgon members pivoting on the names and email addresses associated with the GoogleDrive links used in campaigns, and thus finally deliver the proof of our attribution.