The Gorgon Group  (Back to overview)

aka: Gorgon Group, Subaat

Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.


Associated Families
win.lokipws win.nanocore win.njrat win.quasar_rat win.remcos win.revenge_rat

References
1 http://blog.deniable.org/blog/2016/08/26/lurking-around-revenge-rat/
1 http://blog.fernandodominguez.me/lokis-antis-analysis/
1 http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/
1 http://blogs.360.cn/post/analysis-of-apt-c-37.html
1 http://csecybsec.com/download/zlab/20171221_CSE_Bladabindi_Report.pdf
1 http://malware-traffic-analysis.net/2017/12/22/index.html
1 http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments
1 http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf
1 http://www.malware-traffic-analysis.net/2017/06/12/index.html
https://attack.mitre.org/groups/G0078/
1 https://blog.ensilo.com/uncovering-new-activity-by-apt10
1 https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services
1 https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2
1 https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file
1 https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html
1 https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html
1 https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/
1 https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite
1 https://github.com/R3MRUM/loki-parse
1 https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf
1 https://github.com/quasar/QuasarRAT/tree/master/Client
1 https://goggleheadedhacker.com/blog/post/11
1 https://isc.sans.edu/diary/24372
1 https://isc.sans.edu/diary/rss/22590
1 https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/
1 https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/
1 https://phishme.com/loki-bot-malware/
1 https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/
1 https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
6 https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
1 https://secrary.com/ReversingMalware/RemcosRAT/
1 https://securelist.com/loki-bot-stealing-corporate-passwords/87595/
1 https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/
1 https://twitter.com/malwrhunterteam/status/789153556255342596
1 https://twitter.com/struppigel/status/1130455143504318466
https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/
https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/
1 https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/
1 https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
1 https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html
1 https://www.lastline.com/blog/password-stealing-malware-loki-bot/
1 https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
1 https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/
1 https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850
3 https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
1 https://www.vmray.com/cyber-security-blog/smart-memory-dumping/
1 https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
1 https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/

Credits: MISP Project