An unidentified state-sponsored actor is employing a unique toolset in cyberattacks targeting communications carriers and IT corporations in South Asia. Symantec researchers have tracked it as Harvester.
The group’s mission is to gather intelligence through highly focused espionage activities targeting IT, telecom, and government institutions. The malicious tools of Harvester have never been seen previously in the wild, implying that this is a new threat actor with no known opponents.
Harvester operators employ the following tools in their attacks:
- Backdoor.Graphon – C&C activity is carried out through a bespoke backdoor that leverages Microsoft infrastructure
- Custom Downloader – C&C operation is run on Microsoft infrastructure
- Custom Screenshotter – saves screenshots to a file regularly
- Cobalt Strike Beacon – employs CloudFront infrastructure for its C&C operations (Cobalt Strike is a ready-to-use tool for running commands, injecting other processes, elevating or impersonating existing processes, and uploading and downloading data)
- Metasploit – an off-the-shelf modular framework that may be used on target PCs for many nefarious reasons, including privilege escalation, screen capture, and setting up a persistent backdoor, among other things
While Symantec’s experts could not pinpoint the initial infection vector, there’s evidence that a malicious URL was exploited.
Graphon provides remote network access to the actors and hides their existence by mixing command-and-control (C2) communication activity with genuine network traffic from Microsoft infrastructure and CloudFront.
The way the custom downloader works is fascinating since it creates required files on the system, adds a registry value for a new load-point, and then opens an embedded web browser at hxxps:/usedust[.]com. Although it looks like Backdoor.Graphon being retrieved from this location, the actors are just using the URL as a ruse to confuse security personnel.
The custom snapshot application takes screenshots of the desktop and stores them in a password-protected ZIP archive, which is then exfiltrated by Graphon. Each ZIP file is stored for a week, after which it is automatically destroyed.
Harvester is an active threat, according to Symantec, and is currently targeting companies in Afghanistan.
Despite being able to sample the new group’s tools, the researchers do not have enough evidence to link the behavior to a single country.