Harvester Threat Actor Targeting Multiple Countries Telecos

According to Symantec’s Research , A newly discovered player was sponsored by a nation – state and it was targeting the groups in South Asia. “The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT). The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor.”  

Backdoor was a custom backdoor used by the attackers. Graphon was installed on users machines  with other downloaders and screenshot tools  giving the attackers remote access and allowing them to spy on and exfiltrate data. By using legal CloudFront and Microsoft infrastructure, the group also tried to blend their activity in with legitimate network traffic.

Tools used:

  • Backdoor.Graphon – custom backdoor that uses Microsoft infrastructure for its C&C activity
  • Custom Downloader – uses Microsoft infrastructure for its C&C activity
  • Custom Screenshotter – periodically logs screenshots to a file
  • Cobalt Strike Beacon – uses CloudFront infrastructure for its C&C activity (Cobalt Strike is an off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files)
  • Metasploit – an off-the-shelf modular framework that can be used for a variety of malicious purposes on victim machines, including privilege escalation, screen capture, to set up a persistent backdoor, and more.

The custom downloader used by the attackers leverages the Costura Assembly Loader. Once on a victim machine, it checks if the following file exists:

  • [ARTEFACTS_FOLDER]\winser.dll

 If the file does not exist it downloads a copy from the following URL:

  • hxxps://outportal[.]azurewebsites.net/api/Values_V2/Getting3210

The researchers continues the analysis as “After that, the attackers run instructions to control their input stream and record the output and error streams.” They also send GET requests to the C&C server on a regular basis extracting the content of any returned messages and then deleting them.”

Data from the output and error streams is encoded and transferred back to the attackers’ servers through cmd.exe.”Operators can use the custom screenshot tool to take photos that are then saved in a password-protected ZIP archive for exfiltration. All archives older than a week are deleted by the spyware.

Given the recent change in Afghanistan, the campaign’s targeting of organisations in that nation is also notable. Harvester’s activities makes it clear that the goal of this campaign is spy, which is a common incentive for nation-state-backed action.

Because Harvester’s most recent behaviour was discovered earlier this month, firms in the sectors and regions specified should be on the lookout for the harmful conduct

Indicators of Compromise












–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s