Researchers noticed a previously unknown state-sponsored actor that seems to be using a unique combination of tools in cyberattacks against South Asian telecommunications providers and IT corporations.
The cybercrime group’s objective is thought to be information collection. They are using highly targeted espionage campaigns concentrating on IT, telecom, and government institutions.
Dubbed Harvester, the attacker’s harmful tools have never been seen previously used in the wild, implying that this is a new threat actor with no known adversaries.
The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT).
The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor.
The journalists at BleepingComputer put together a list of tools that are used by the Harvester operators in their attacks.
The attackers are apparently using Backdoor.Graphon, Custom Downloader, Custom Screenshotter, Cobalt Strike Beacon, and Metasploit.
The researchers at Symantec were unable to figure out what the initial infection vector was but some evidence of a malicious URL being used for that purpose has been discovered.
The Graphon backdoor enables remote network access to the perpetrators and hides their existence by mixing command-and-control (C2) communication activity with genuine network traffic from CloudFront and Microsoft infrastructure.
The way in which the custom downloader works is remarkable, as it is able to generate crucial files on the system, add a registry value for a new load-point and open an embedded web browser at hxxps:/usedust[.]com.
Although it looks like the Backdoor.Graphon is being retrieved from this location, the actors are just using the URL as a ruse to create confusion.
The bespoke screenshot application takes snapshots of the desktop and records them to a password-protected ZIP archive, which is then exfiltrated by Graphon. Each ZIP file is stored for a week, after which it is automatically destroyed.
Harvester is still active and is currently targeting companies in Afghanistan.
Despite being able to sample the new group’s tools, the researchers do not have enough evidence to link the behavior to a single country.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.