Security researchers at Symantec have warned of a previously unknown state-backed hacker group that is using a novel toolset in a cyber-espionage campaign targeting organizations in South Asia, with a focus on Afghanistan.
Dubbed ‘Harvester’, the threat actor has been launching attacks against entities in telecommunications, government, and information technology (IT) sectors since at least June 2021.
The group has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.
The custom malware includes a backdoor called Graphon (provides attackers with remote access to a victim machine and allows them to spy on user activities and exfiltrate information), a custom downloader, and a screenshotter (takes photos that it saves to a password-protected ZIP archive for exfiltration, with all archives older than a week deleted). Both the Graphon backdoor and the downloader use Microsoft infrastructure for command and control (C&C) activity.
The researchers said they has yet to identify the initial vector the Harvester group used to breach victim networks, but the first evidence they found of Harvester activity on victim machines was a malicious URL
“The group also tried to blend its activity in with legitimate network traffic by leveraging legitimate CloudFront and Microsoft infrastructure for its command and control (C&C) activity,” Symantec said.
The custom downloader used by the attackers leverages the Costura Assembly Loader and creates necessary files on the system, adding a registry value for a new load-point. Eventually, it opens an embedded web browser at hxxps://usedust[.]com., which appears to be a load-point for the Graphon backdoor, but is actually a decoy to confuse any affected users.
Once executed, the backdoor attempts to communicate with the attackers’ C&C servers, which are hosted on Microsoft infrastructure.
“While we do not have enough evidence yet to attribute Harvester’s activity to a specific nation state, the group’s use of custom backdoors, the extensive steps taken to hide its malicious activity, and its targeting all point to it being a state-sponsored actor. Harvester’s use of legitimate infrastructure to host its C&C servers in order to blend in with normal network traffic is one example of the stealthy steps taken by this actor,” the researchers noted in their report.
“The targeting of organizations in Afghanistan in this campaign is also interesting given the huge upheaval seen in that country recently. The activity carried out by Harvester makes it clear the purpose of this campaign is espionage, which is the typical motivation behind nation-state-backed activity,” they concluded.