New research has revealed that the threat group behind the cryptocurrency-stealing MasterMana botnet has grown increasingly sophisticated and is now trapping victims through spoofed login portals.
Gorgon Group has been observed targeting the European Union as well as Dubai’s main electrical/water utility DEWA with fake login pages that are highly convincing.
In another newly detected campaign, researchers observed Gorgon Group using a clever social engineering scheme targeting Spanish/Portuguese speakers with typo-squatted hotel websites and spoofed reservation confirmations.
Historically, the group has relied on cheap malware obtained via the dark web to orchestrate their dastardly scams, but researchers say that Gorgon Group is now developing and customizing these tools to become even more dangerous.
“I am surprised at the level of sophistication that this group has shown over the past year,” Prevailion’s director of intelligence analysis, Danny Adamitis, told Infosecurity Magazine. ”During this time, they have taken a number of steps in order to increase their operational security both against network and host-based detection.
“One example is their use of the new ‘office.dll’ that would elevate the actor’s privilege level and then disable Windows Defender. Another example is the actor going back and modifying an old Pastebin post in order to make tracking their activity more difficult.”
Along with the new “office.dll,” Gorgon Group has rocked out a variant of the NJrat trojan and a new, trojanized PowerPoint file, as well as a downloader that references the lyrics of rapper Drake.
Adamitis, whose favorite Drake track is “God’s Plan,” said it was difficult to predict how the threat group would evolve.
He said: “Unfortunately we don’t have enough data at this time to make any sound conclusions about their intent.”
It is not currently known from where Gorgon Group operates, though Adamitis speculates that the group is operating out of Pakistan.
Adamitis said: “We have observed some Gorgon Group activity occurring from Pakistani-based IP addresses; however, IP addresses can be spoofed. We do not have enough evidence at this time to make any definitive comments on attribution.”