19 October 2021

State-sponsored hackers target orgs in South Asia with custom backdoor


State-sponsored hackers target orgs in South Asia with custom backdoor

Security researchers at Symantec have warned of a previously unknown state-backed hacker group that is using a novel toolset in a cyber-espionage campaign targeting organizations in South Asia, with a focus on Afghanistan.

Dubbed ‘Harvester’, the threat actor has been launching attacks against entities in telecommunications, government, and information technology (IT) sectors since at least June 2021.

The group has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.

The custom malware includes a backdoor called Graphon (provides attackers with remote access to a victim machine and allows them to spy on user activities and exfiltrate information), a custom downloader, and a screenshotter (takes photos that it saves to a password-protected ZIP archive for exfiltration, with all archives older than a week deleted). Both the Graphon backdoor and the downloader use Microsoft infrastructure for command and control (C&C) activity.

The researchers said they has yet to identify the initial vector the Harvester group used to breach victim networks, but the first evidence they found of Harvester activity on victim machines was a malicious URL

“The group also tried to blend its activity in with legitimate network traffic by leveraging legitimate CloudFront and Microsoft infrastructure for its command and control (C&C) activity,” Symantec said.

The custom downloader used by the attackers leverages the Costura Assembly Loader and creates necessary files on the system, adding a registry value for a new load-point. Eventually, it opens an embedded web browser at hxxps://usedust[.]com., which appears to be a load-point for the Graphon backdoor, but is actually a decoy to confuse any affected users.

Once executed, the backdoor attempts to communicate with the attackers’ C&C servers, which are hosted on Microsoft infrastructure.

“While we do not have enough evidence yet to attribute Harvester’s activity to a specific nation state, the group’s use of custom backdoors, the extensive steps taken to hide its malicious activity, and its targeting all point to it being a state-sponsored actor. Harvester’s use of legitimate infrastructure to host its C&C servers in order to blend in with normal network traffic is one example of the stealthy steps taken by this actor,” the researchers noted in their report.

“The targeting of organizations in Afghanistan in this campaign is also interesting given the huge upheaval seen in that country recently. The activity carried out by Harvester makes it clear the purpose of this campaign is espionage, which is the typical motivation behind nation-state-backed activity,” they concluded.

Back to the list

Latest Posts

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Dropped countries include such countries as Morocco, Mexico, Saudi Arabia, or the UAE.
26 November 2021
CronRAT: New Linux malware that hides behind February 31 to stay undetected

CronRAT: New Linux malware that hides behind February 31 to stay undetected

The malware hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.
26 November 2021
New malware campaign targets crypto, NFT and DeFi communities via Discord

New malware campaign targets crypto, NFT and DeFi communities via Discord

The Babadeda crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing RATs, and LockBit ransomware.
26 November 2021