Pakistani Hacking Team Uses Basic Techniques in Spear-Phishing Bulk Malware Campaign

The Pakistani group that combines spear-phishing with mass malware, has poor operational security and uses fundamental techniques, yet it appears that the hacking groups have slid into many networks.

The hackers attempting to target nation states attacks is using an identical infrastructure for spam campaigns to deliver malware. The attackers are active since February 2018 and use phishing attacks as they target US, Russia, Spain and UK governmental organisations. Dubbed the Gorgon Group, those behind the attacks are believed to operate from Pakistan, while the Gorgon name refers to a mythical Ancient Greek creature that had snakes for hair.

Palo Alto Networks researchers uncovered their campaigns during an investigation into individuals who are known to carry out phishing mail campaigns. Thanks to the Gorgon’s use of a URL shortener that is common, much has been uncovered regarding their campaign, which openly offers other data surrounding the campaign and click rates.

The Gorgon group sent out spear-phishing emails with subject lines based on politics, military and terrorism in Pakistan and within these emails, there are Microsoft word documents titled around the same subjects. The CVE-2017-0199 malicious document exploits a vulnerability which enables the attackers to execute and download a visual basic script, which contains PowerShell commands. When opened it enables the attackers to install programs and run commands, basically the same as used in espionage and cyber-criminal campaigns. The attackers tempt to deliver trojan malware, easily available from underground forums, NJRAT, QuasarRAT or NanoCoreRAT all have the same end goal which is to steal data and carry out espionage.

Third-Party URL Aiding in Attack

It is delivered via the aid of a third-party URL shortener bitly. The attacks do not involve clicking on the links, as bitly is used as the dropping process as it communicates with the command server. Bitly requests are part of the execution flow and used to redirect traffic to the websites hosting the decoy documents and final payloads.

The number of users that have clicked through to the link is 841 in total, of which 410 were in Pakistan, another 194 clicked through from the United States, although some of these were clicks from researchers that investigate the attacks that took place in March and May. The number of successful infections reached by the Gorgon using such an unsophisticated infrastructure is not indicated although it has been able to hit targets within the targeted governments.

Apart from targeting nation-states, the Pakistani hacking group is also involved in general cyber-criminal activities aimed at a larger targeted audience. Statistics by bitly suggest that the spam campaign reached 133,000 clicks across the globe since February. The Gorgon’s are still active and is believed to soon adopt different techniques as it gains experience.