{ "id": "91869e07-e8d1-4eee-829a-388db9cc1b8a", "created_at": "2026-04-06T00:10:16.011926Z", "updated_at": "2026-04-10T03:35:56.583663Z", "deleted_at": null, "sha1_hash": "bfdaea15dc2c8a19ce0a09db9dd0e5745f71e4ea", "title": "Gorgon APT targeting MSME sector in India", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 996161, "plain_text": "Gorgon APT targeting MSME sector in India\r\nBy Pavankumar Chaudhari\r\nPublished: 2020-08-10 · Archived: 2026-04-05 12:52:23 UTC\r\nFrom the past few months, we have been monitoring cyber-threats on MSME [Micro, Small and Medium\r\nEnterprises] sector within India. MSME sector is considered to be the backbone of the Indian economy. MSME\r\nemploys around 40% of the country’s workforce, contributing nearly 45% to manufacturing output and 40% of\r\nexports. Staring at a major financial resource crunch, MSME’s are worst affected due to the ongoing COVID-19\r\npandemic.\r\nWe observed one similar wave on MSME in late April 2020 — it was a phishing campaign luring victims with\r\nCOVID-19 themed maldocs. From this campaign, one prominent file was:\r\nFileName face mask order.doc\r\nMD5 4FC5BA9426E9191AAB4E694E7E703E13\r\nSHA-1 B5EBAF2F5AF220FE1B1DE5433C2E39FF16B0C0B4\r\nSHA-256 2022D9CC42ED2838DAA442561107C29297BDDB88B36222345C10B39164E66819\r\nPrevalence 300+\r\nFigure 1: Trend for Gorgon APT sample\r\nTechnical Details\r\nVictims received an email with attached zip “face mask order.zip” which contained the aforementioned maldoc\r\nresponsible to drop malware into the victim machine. The attack begins after opening “face mask order.doc”.  This\r\nhttps://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/\r\nPage 1 of 9\n\nRTF is weaponized with exploit which triggers CVE-2017-11882 vulnerability to execute arbitrary code.\r\nFigure 2: Process Infection Chain\r\nCVE-2017-11882 Analysis:\r\nMalicious rtf document contains two malicious ole objects.\r\nFigure 3: RTF Objects\r\nThe tools extracts the ole objects from RTF file. OLE object (#0) is a VBScript file (i.e. ServerCrypted.vbs script)\r\nand object (#2) contains Equation Editor Exploit and command to execute file “CmD.exe /C cscript\r\nhttps://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/\r\nPage 2 of 9\n\n%tmp%\\ServerCrypted.vbs”.\r\nThe OLE object (#0) is an executable file (i.e. ServerCrypted.vbs script) as shown in figure 4.\r\nFigure 4: Embedded VBScript\r\nThe class name for this object (#2) is Equation.3 the exploit (CVE-2017-11882) as shown in the below image.\r\nFigure 5: RTF contents\r\nhttps://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/\r\nPage 3 of 9\n\nIt also contains the command to run ServerCrypted.vbs script as shown in below figure 6.\r\nFigure 6: RTF contents\r\nCVE-2017-11882 is present in the Microsoft Office Equation Editor (EQNEDT32.EXE) component. The attacker\r\ncan successfully exploit a stack buffer overflow vulnerability in the equation editor component of MS Office and\r\nexecute arbitrary code. The root cause of this vulnerability is copy unbounded string of FONT name defined\r\nwithin a FONT record structure of Equation Editor OLE object data.\r\nThe below figure shows the stack buffer overflow scenario while copying the font name into a locally created\r\nbuffer.\r\nFigure 7: Stack buffer overflow scenario\r\nhttps://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/\r\nPage 4 of 9\n\nIn this case, the function will return “back” to 0x430c12, which is the address of WinExec, and the argument is the\r\n“font name” and command which the attacker wants to execute.\r\nFigure 8: Return address, overwritten with WinExec\r\nVBScript Analysis:\r\nAfter successful exploitation, cmd.exe is executed with commands:\r\n“/c cscript %tmp%\\ServerCrypted.vbs \u003e\u003e AC”\r\nThis command creates a cscript.exe process to execute code in ServerCrypted.vbs. VBScript file was already\r\ndropped in %temp% folder by WinWord process. Below Figure shows the VBScript code. As shown in figure 9\r\nand figure 10, actors used some AV-vendors names in function names, variable names, and strings.  This VBScript\r\nis responsible to execute two processes, cmd.exe and powershell.exe. Figure 10 shows the obfuscated PowerShell\r\nscript.\r\nhttps://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/\r\nPage 5 of 9\n\nFigure 9: Contents of ServerCrypted.vbs\r\nFigure 10: Contents of ServerCrypted.vbs\r\nPowerShell Analysis:\r\nFigure 11 shows the de-obfuscated PowerShell script.\r\nAs shown below, the script downloads two files with a .jpg extension. First file “15882060891.jpg” is a\r\nPowerShell script which contains encoded injector DLL written in C#, as shown in figure 12. This DLL is loaded\r\nin-memory by PowerShell. In this script, actors used some interesting names of class and function of injector DLL\r\nlike FlorianRoth and Cyb3rOps.  Florian Roth is a well-known security researcher and  CTO of Nextron Systems.\r\nCyb3rOps is his twitter handle name. The second file which is downloaded by PowerShell is “15882060892.jpg”,\r\nis an encoded agent tesla payload. This payload is injected in Windows native binary RegAsm.exe.\r\nhttps://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/\r\nPage 6 of 9\n\nFigure 11: Decoded PowerShell script\r\nBelow is encoded data of hxxp://www[.]m9c[.]net/uploads/15882060891.jpg. This is a PowerShell code and\r\nencoded injector DLL data.\r\nFigure 12: Contents of 15882060891.jpg\r\nAfter decoding PE header of injector DLL can be seen.\r\nFigure 13: Decoded data of 15882060891.jpg\r\nBelow figure shows contents of hxxp://www[.]m9c[.]net/uploads/15882060892.jpg. It is the encoded data of the\r\nfinal payload.\r\nhttps://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/\r\nPage 7 of 9\n\nFigure 14: Contents of 15882060892.jpg\r\nFinal Payload – Agent Tesla:\r\nBelow figure shows injected Agent Tesla payload in RegAsm.exe.\r\nFigure 15: Injected payload\r\nAgent Tesla is a well-known keylogger and infostealer written in DotNet. This malware steals information from a\r\nvariety of applications like Web Browsers, Email Clients, FTP Clients, Messenger applications, VPN clients, etc.\r\nand can also take screenshots of the system. All stolen data is exfiltrated over SMTP.\r\nWe have already explored and analysed Agent Tesla in our last couple of blogs:\r\nAdvance Campaign Targeting Manufacturing and Export Sectors in India\r\nhttps://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/\r\nPage 8 of 9\n\nCoronavirus-themed Campaign delivers Agent Tesla Malware\r\nConclusion\r\nMost TTPs shared above, have been seen on several occasions in the last few years. Looking at malware, C2 and\r\ntechnique execution, Quick Heal correlates this campaign on MSME sector to Gorgon group [a.k.a. Subaat]. All\r\nmembers of the Gorgon cyber-criminal group purport to have Pakistan-based interests/connections. Recently,\r\nanother Gorgon campaign was uncovered a few months back which used the same commodity malware RATs to\r\naccomplish their objective.\r\nGiven the global impact of COVID-19, threat actors will likely continue to use COVID-19-themed emails to\r\ndeliver malware broadly in support of their objectives. Considering this trend, we encourage Micro, Small and\r\nMedium Enterprises to apply extra scrutiny to COVID-19-related emails containing attachments. Though large\r\norganizations, critical government infrastructures, and others have somewhat built resilience to such cyber threats;\r\nbut MSME still needs to cover-up and remain extra vigilant with a robust strategy to mitigate risks.\r\nThreat Protection\r\nOur Seqrite and Quick Heal line of products protect against top cyber threats including Microsoft Office Memory\r\nCorruption Vulnerability (CVE-2017-11882) and variants of Agent Tesla RAT. Our advanced signature-less\r\nbehaviour-based detection successfully blocks Agent Tesla variants.\r\nQuick Heal advises users to exercise ample caution and avoid opening attachments \u0026 clicking on web links in\r\nunsolicited emails. Users should also keep their Operating System updated and have a full-fledged security\r\nsolution installed on all devices.\r\nWhile organizations with appropriate spam filtering, proper system administration, and up-to-date Windows hosts\r\nhave a much lower risk of infection, we further encourage organizations to validate the installation of the\r\nMicrosoft patch for CVE 2017-11882.\r\nQuick Heal’s research team is proactively monitoring all campaigns targeting MSME’s and working relentlessly to\r\nensure the safety of our customers\r\nSubject matter experts:\r\nKalpesh Mantri\r\nBajrang Mane\r\nPavankumar Chaudhari\r\nSource: https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/\r\nhttps://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/" ], "report_names": [ "gorgon-apt-targeting-msme-sector-in-india" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "414d7c65-5872-4e56-8a7d-49a2aeef1632", "created_at": "2025-08-07T02:03:24.7983Z", "updated_at": "2026-04-10T02:00:03.76109Z", "deleted_at": null, "main_name": "COPPER FIELDSTONE", "aliases": [ "APT36 ", "Earth Karkaddan ", "Gorgon Group ", "Green Havildar ", "Mythic Leopard ", "Operation C-Major ", "Operation Transparent Tribe ", "Pasty Draco ", "ProjectM ", "Storm-0156 " ], "source_name": "Secureworks:COPPER FIELDSTONE", "tools": [ "CapraRAT", "Crimson RAT", "DarkComet", "ElizaRAT", "LuminosityLink", "ObliqueRAT", "Peppy", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "18278778-fa63-4a9a-8988-4d266b8c5c1a", "created_at": "2023-01-06T13:46:38.769816Z", "updated_at": "2026-04-10T02:00:03.094179Z", "deleted_at": null, "main_name": "The Gorgon Group", "aliases": [ "Gorgon Group", "Subaat", "ATK92", "G0078", "Pasty Gemini" ], "source_name": "MISPGALAXY:The Gorgon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "97fdaf9f-cae1-4ccc-abe2-76e5cbc0febd", "created_at": "2022-10-25T15:50:23.296989Z", "updated_at": "2026-04-10T02:00:05.347085Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "Gorgon Group" ], "source_name": "MITRE:Gorgon Group", "tools": [ "NanoCore", "QuasarRAT", "Remcos", "njRAT" ], "source_id": "MITRE", "reports": null }, { "id": "6c4e4b91-1f98-49e2-90e6-435cea8d3d53", "created_at": "2022-10-25T16:07:23.693797Z", "updated_at": "2026-04-10T02:00:04.711987Z", "deleted_at": null, "main_name": "Gorgon Group", "aliases": [ "ATK 92", "G0078", "Pasty Draco", "Subaat", "TAG-CR5" ], "source_name": "ETDA:Gorgon Group", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Atros2.CKPN", "Bladabindi", "CinaRAT", "Crimson RAT", "ForeIT", "Jorik", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "MSIL", "MSIL/Crimson", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Origin Logger", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "Revenge RAT", "RevengeRAT", "Revetrat", "SEEDOOR", "Scarimson", "Socmer", "Yggdrasil", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434216, "ts_updated_at": 1775792156, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bfdaea15dc2c8a19ce0a09db9dd0e5745f71e4ea.pdf", "text": "https://archive.orkl.eu/bfdaea15dc2c8a19ce0a09db9dd0e5745f71e4ea.txt", "img": "https://archive.orkl.eu/bfdaea15dc2c8a19ce0a09db9dd0e5745f71e4ea.jpg" } }