ATK92

Presumed Origin: Pakistan < Back

Alias: Gorgon group, Subaat, TAG-CR5

ATK92 (aka: Gorgon Group, or Aggah) is engaged both in cybercriminal attacks as well as targeted attacks against worldwide governmental organizations. The group is active since 2017 and is believed to be operating from Pakistan. The group's campaigns targeted government organizations in the United Kingdom, Spain, Russia, and the United States. The infection chain of their attacks usually starts by phishing emails containing trojanized documents, which will launch powershell commands and configure the C2.

REFERENCES

- MITRE, Gorgon Group, https://attack.mitre.org/groups/G0078/
- Check Point, Njrat, https://threatpoint.checkpoint.com/ThreatPortal/threat?threatId=9478&threatType=malwarefamily
- MITRE, Crimson, https://attack.mitre.org/software/S0115/
- 04/03/2016, threat post, https://threatpost.com/espionage-malware-watering-hole-attacks-target-diplomats/116600/
- 19/01/2017, NJCCIC, NJRat, https://www.cyber.nj.gov/threat-profiles/trojan-variants/njrat
- 27/10/2017, paloalto, Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor’s Repository, https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/
- 31/01/2018,NJCCIC, Quasar RAT, https://www.cyber.nj.gov/threat-profiles/trojan-variants/quasar-rat
- 02/08/2018, paloalto, The Gorgon Group: Slithering Between Nation State and Cybercrime, https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/
- 22/10/2018, Krebs on Security, Who Is Agent Tesla?, https://krebsonsecurity.com/tag/nanocore-rat/
- 17/04/2019, paloalto, Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign, https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/
- 18/04/2019, Bleeping Computer, https://www.bleepingcomputer.com/news/security/revengerat-distributed-via-bitly-blogspot-and-pastebin-c2-infrastructure/
- 16/01/2019, ZDNet, NanoCore Trojan is Protected in Memory from being Killed off, https://www.zdnet.com/article/nanocore-trojan-stops-you-killing-its-process/

Target sector

Government and administration agencies

Target countries

Russian Federation
Saudi Arabia
Spain
United Kingdom Of Great Britain And Northern Ireland
United States Of America

Attack pattern

T1023 - Shortcut Modification
T1055 - Process Injection
T1059 - Command-Line Interface
T1060 - Registry Run Keys / Startup Folder
T1064 - Scripting
T1065 - Uncommonly Used Port
T1086 - PowerShell
T1089 - Disabling Security Tools
T1093 - Process Hollowing
T1105 - Remote File Copy
T1106 - Execution through API
T1112 - Modify Registry
T1140 - Deobfuscate/Decode Files or Information
T1193 - Spearphishing Attachment
T1204 - User Execution

Motivation

Financial Gain

Malwares

Crimson
LokiBot
Nanocore
QuasarRAT
RemcosRAT
RevengeRAT
njRAT

Vulnerabilities

CVE-2012-0158
CVE-2017-0199