Pakistan-linked Gorgon Group found engaging in both cybercrime and targeting governments

• The cybercriminal group uses a multitude of malware, including Trickbot and NjRAT, as part of their malicious infrastructure.
• The threat group has targeted government organizations in the UK, US, Spain and Russia.

Security researchers have discovered a new threat group believed to be linked to Pakistan. The cybercrime gang - the Gorgon Group - has so far targeted government organizations across the UK, US, Spain, and Russia.

The group was observed targeting government entities as well as conducting general cybercriminal operations across the globe, often using shared malicious infrastructure. The group also uses a multitude of malware variants including the prolific Trickbot banking malware and NjRAT.

Small cyber gang

According to security researchers at Palo Alto Networks, who discovered the Gorgon Group’s new campaign in February 2018, the group likely consists of five members, one of whom is known as Subaat. Although it is unclear whether the group’s members physically reside in Pakistan, their online personas purport to be based out of the nation.

“The crew combines both regular crime and targeted attack objectives using the same domain infrastructure over time, rarely changing their TTPs,” Palo Alto researchers wrote in a blog. “Between April 1, 2018 and May 30, 2018, we observed the domain stevemike-fireforce[.]info used in a Gorgon Group cybercrime campaign involving more than 2,300 emails and 19 documents in the initial attack. This same domain was also used during the same period of time in targeted attacks against several worldwide nation state agencies.”

Gorgon Group malware

Researchers discovered that the Gorgon Group uses unique domains for both cybercrime and targeted attacks. However, the use of these domains in cybercrime seems to be higher than for targeted attacks on government organizations.

The group uses a wide variety of malware such as NjRAT, RevengeRAT, RemcosRAT, NanoCoreRAT and Lokibot. Most of these malware variants are widely available via dark web forums and have been used by other cybercriminals as well.

“One interesting note about the criminal activity of Gorgon Group is their usage of Bitly. Similar to that of their targeted attacks, Gorgon Group leveraged Bitly for distribution and shortening of C2 domains. Using the same techniques across both their criminal and targeted activity, made it easier for us to cluster Gorgon Group infrastructure and activity,” Palo Alto researchers said.

According to the researchers, Gorgon Group is not the first to combine both cybercriminal and targeted attacks in its attack repertoire. However, it is surprising to see how their efforts remain successful despite operational security flaws.

“Overall, in spite of the lack of sophistication in Gorgon Group’s activity, they were still relatively successful; once again proving that simple attacks on individuals without proper protections, work,” Palo Alto researchers concluded.