Hackers Backed by The Government Infiltrate Telecoms Using Specialized Software

Hackers Backed by The Government Infiltrate Telecoms Using Specialized Software

An unidentified state-sponsored actor is employing a unique toolset in cyberattacks targeting communications carriers and IT corporations in South Asia. Symantec researchers have tracked it as Harvester.

The group’s mission is to gather intelligence through highly focused espionage activities targeting IT, telecom, and government institutions. The malicious tools of Harvester have never been seen previously in the wild, implying that this is a new threat actor with no known opponents.

Harvester operators employ the following tools in their attacks:

  • Backdoor.Graphon – C&C activity is carried out through a bespoke backdoor that leverages Microsoft infrastructure
  • Custom Downloader – C&C operation is run on Microsoft infrastructure
  • Custom Screenshotter – saves screenshots to a file regularly
  • Cobalt Strike Beacon – employs CloudFront infrastructure for its C&C operations (Cobalt Strike is a ready-to-use tool for running commands, injecting other processes, elevating or impersonating existing processes, and uploading and downloading data)
  • Metasploit – an off-the-shelf modular framework that may be used on target PCs for many nefarious reasons, including privilege escalation, screen capture, and setting up a persistent backdoor, among other things

While Symantec’s experts could not pinpoint the initial infection vector, there’s evidence that a malicious URL was exploited.

Graphon provides remote network access to the actors and hides their existence by mixing command-and-control (C2) communication activity with genuine network traffic from Microsoft infrastructure and CloudFront.

The way the custom downloader works is fascinating since it creates required files on the system, adds a registry value for a new load-point, and then opens an embedded web browser at hxxps:/usedust[.]com. Although it looks like Backdoor.Graphon being retrieved from this location, the actors are just using the URL as a ruse to confuse security personnel.

The custom snapshot application takes screenshots of the desktop and stores them in a password-protected ZIP archive, which is then exfiltrated by Graphon. Each ZIP file is stored for a week, after which it is automatically destroyed.

Harvester is an active threat, according to Symantec, and is currently targeting companies in Afghanistan.

Despite being able to sample the new group’s tools, the researchers do not have enough evidence to link the behavior to a single country.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.