Delaware, USA – August 9, 2018 – Experts from Palo Alto Networks discovered a new Pakistani threat actor, which they called the Gorgon Group. The group has been active since February 2018, but the activities of its members were tracked until 2016. Gorgon Group conducts both criminal attacks and targeted attacks using the same infrastructure. During operations, adversaries distribute LokiBot malware and a number of remote access tools. These attacks take place in the same scenario: adversaries send specially composed phishing emails with an attached RTF file that exploits CVE-2017-0199 vulnerability to download a script with PowerShell commands for final payload installation.
It’s worth noting that attackers use URL shortening services to avoid detection by traffic analysis solutions and these services helped researchers to track the effectiveness of Gorgon Group campaigns. Despite the simplicity of the infection technique and security updates for MS Office flaw, Gorgon Group attacks are quite effective, and hundreds of people click on malicious links during each campaign. Installation of all available patches on Microsoft Office can protect against this grouping campaigns. Also, you can export a free Sigma rule for your security platform that helps to detect LokiBot malware: https://tdm.socprime.com/sigma/generate/0gI632MBqfpvXJhT2QxA/