Hacking group combines spear-phishing with mass malware campaign

Pakistani hacking group uses basic techniques and has poor operational security - but appears to have slithered into a large number of networks.

What is phishing?

Everything you need to know to protect yourself from scam emails and more

Don't click on that email! Find everything you need to know in this phishing guide.

Read More

A hacking group is attempting to carry out targeted attacks against nation states while at the same time using the same infrastructure to carry out spam campaigns with the intention of delivering malware.

Active since at least February 2018, the attackers are using phishing attacks to target governmental organizations of the UK, Spain, Russia, and the US.

The group behind these attacks have been dubbed Gorgon Group and they're believed to operate out of Pakistan. The name Gorgon refers to the mythical creature of Ancient Greek literature, who had snakes for hair.

Their campaigns have been uncovered by researchers at Palo Alto Networks' Unit 42 research group during an ongoing investigation into an individual known to carry out phishing campaigns. Much of the operation has been uncovered thanks to Gorgon's use of a common URL shortener which openly provides click rates and other data surrounding the campaign.

Gorgon targets are sent spear-phishing emails with subjects based around terrorism, the military and politics in Pakistan and its neighbours. Within these emails are Microsoft Word documents with names based around the same subjects.

SEE: What is malware? Everything you need to know about viruses, trojans and malicious software

These malicious documents exploit CVE-2017-0199, a vulnerability which allows attackers to download and execute a Visual Basic script containing PowerShell commands when the lure is opened which then allows the attacker to run commands and install programs. It's commonly used in cyber criminal and espionage campaigns.

In these instances, the attackers are attempting to deliver one of three families of trojan malware which can easily be purchased on underground forums -- NanoCoreRAT, QuasarRAT, and NJRAT -- with the end-goal of carrying out espionage and stealing data.

The payload is delivered with the aid of bitly, a third-party URL shortener. The attacks don't involve users clicking on the shortened links, rather that the attack process uses bitly as part of the dropping process when communicating with the command server.

"The malware itself made bitly requests as part of its execution flow. It was used to redirect to websites that hosted final payloads or decoy documents," Josh Grunzweig, principal malware researcher at Palo Alto Networks' Unit 42 research team told ZDNet.

In total 841 users have clicked through to the link, with 410 of these in Pakistan and a further 194 in the United States -- although some of these clicks are likely researchers investigating the attacks. The attacks mostly took place between March and May.

While no information is provided on the number of successful infections by Gorgon, the figures indicate that even this campaign, with its unsophisticated infrastructure, has potentially been able to dupe targets within governments.

But rather than just focusing on nation-state targets, Gorgon is also actively involved in conducting more general cyber-criminal campaigns which have a much wider range of targets -- bitly statistics suggest these spam campaigns have netted almost 133,000 clicks since February, with victims across the world.

These crimeware campaigns are far less sophisticated than the target campaigns against nation states, using spam campaigns which are leveraging well known lures including purchase orders, shipping receipts and documents purporting to be related to the SWIFT banking network.

Trojans used in these attacks are the same as those used to target nation states, although commodity malware like Lokibot is also deployed. The goal of these attacks is to steal private information such as passwords, log-in credentials, cryptocurrency wallets and more.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

But despite the simple nature of the attacks and the fact they're delivered by mass spam campaigns, the sheer number of times malware has been retrieved using bitly suggests the attacks are working.

"Overall, in spite of the lack of sophistication in Gorgon Group's activity, they were still relatively successful; once again proving that simple attacks on individuals without proper protections, work," said Grunzweig.

Organisations can protect themselves from falling victim to these attacks by using security procedures such as network segmentation and ensuring that appropriate patches which protect against the exploits used in these attacks are deployed. Preventing the ability to enable macros also goes a long way to stopping attacks.

The Gorgon group is still actively carrying out campaigns and still poses a threat. It's likely that as the group gains more experience, they'll adopt different techniques -- and look to bolster the operational security of future campaigns.

"I suspect over time we will see them evolve and we may see them leverage different tactics with regards to how malware is being delivered and ultimately installed on victim machines," said Grunzweig.

"As we've seen with other threat actors, as the group gains more experience it is likely that their operational security measures will be strengthened, limiting their online exposure and mistakes that ultimately lead to identification," he added.

READ MORE ON CYBER CRIME