A previously unknown state-sponsored attacker has been found to be deploying a novel toolset in attacks targeting telecom operators and IT companies in South Asia.
How a previously unidentified attack group is spying on IT, telecom and government victims
Tracked by Symantec researchers as Harvester, the group’s objective appears to be to gather information in a highly targeted espionage campaign focused on IT, telecommunications, and government agencies.
The malicious tools used by Harvester have never been seen before, indicating that it is a threat group with no ties to any known adversaries.
The tool’s features, custom development, and targeted victims all suggest that Harvester is a state-sponsored group.
The following is a summary of the tools used by Harvester’s operators in the attack
- Backdoor.Graphon – Custom backdoor that uses Microsoft infrastructure for C&C activities. Graphon – A custom backdoor that uses Microsoft’s infrastructure for C&C activity.
- Custom Downloader – A custom downloader that uses Microsoft’s infrastructure for C&C activity.
- Custom Screenshotter – Records periodic screenshots to a file
- Cobalt Strike Beacon – Uses CloudFront infrastructure for C&C activity (Cobalt Strike is a (Cobalt Strike is a commercially available tool that can be used to execute commands, inject into other processes, elevate the current process, impersonate other processes, upload and download files, etc.)
- Metasploit – An off-the-shelf modular framework that can be used on the victim’s machine for a variety of malicious purposes. It can be used for a variety of malicious purposes on the victim’s machine. This framework includes privilege escalation, screen capture, and setting up persistent backdoors.
Although Symantec analysts were unable to uncover the initial route of infection, they have seen evidence that a malicious URL was used for that purpose.
The distinguishing feature is the way the custom downloader works, creating the necessary files on the system, adding registry values for new load points, and finally opening the embedded web browser at hxxps://usedust[.] com to open an embedded web browser.
This appears to be the point at which Backdoor.Graphon is retrieved, but the actor is just using this URL as a decoy to cause confusion
The screenshot tool captures a picture from your desktop, saves it in a password-protected ZIP archive, and leaks it through Graphon.
Zips are stored for one week, so anything older than this will be deleted automatically.
Symantec has warned that Harvester is still active and primarily targets organizations in Afghanistan.