Posted on Leave a comment

Harvester Threat Actor Targeting Multiple Countries Telecos

According to Symantec’s Research , A newly discovered player was sponsored by a nation – state and it was targeting the groups in South Asia. “The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT). The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor.”  

Backdoor was a custom backdoor used by the attackers. Graphon was installed on users machines  with other downloaders and screenshot tools  giving the attackers remote access and allowing them to spy on and exfiltrate data. By using legal CloudFront and Microsoft infrastructure, the group also tried to blend their activity in with legitimate network traffic.

Tools used:

  • Backdoor.Graphon – custom backdoor that uses Microsoft infrastructure for its C&C activity
  • Custom Downloader – uses Microsoft infrastructure for its C&C activity
  • Custom Screenshotter – periodically logs screenshots to a file
  • Cobalt Strike Beacon – uses CloudFront infrastructure for its C&C activity (Cobalt Strike is an off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files)
  • Metasploit – an off-the-shelf modular framework that can be used for a variety of malicious purposes on victim machines, including privilege escalation, screen capture, to set up a persistent backdoor, and more.

The custom downloader used by the attackers leverages the Costura Assembly Loader. Once on a victim machine, it checks if the following file exists:

  • [ARTEFACTS_FOLDER]\winser.dll

 If the file does not exist it downloads a copy from the following URL:

  • hxxps://outportal[.]azurewebsites.net/api/Values_V2/Getting3210

The researchers continues the analysis as “After that, the attackers run instructions to control their input stream and record the output and error streams.” They also send GET requests to the C&C server on a regular basis extracting the content of any returned messages and then deleting them.”

Data from the output and error streams is encoded and transferred back to the attackers’ servers through cmd.exe.”Operators can use the custom screenshot tool to take photos that are then saved in a password-protected ZIP archive for exfiltration. All archives older than a week are deleted by the spyware.

Given the recent change in Afghanistan, the campaign’s targeting of organisations in that nation is also notable. Harvester’s activities makes it clear that the goal of this campaign is spy, which is a common incentive for nation-state-backed action.

Because Harvester’s most recent behaviour was discovered earlier this month, firms in the sectors and regions specified should be on the lookout for the harmful conduct

Indicators of Compromise

0740cc87a7d028ad45a3d54540b91c4d90b6fc54d83bb01842cf23348b25bc42

303f93cc47c58e64665f9e447ac11efe5b83f0cfe4253f3ff62dd7504ee935e0

3c34c23aef8934651937c31be7420d2fc8a22ca260f5afdda0f08f4d3730ae59

3c8fa5cc50eb678d9353c9f94430eeaa74b36270c13ba094dc5c124259f0dc31

470cd1645d1da5566eef36c6e0b2a8ed510383657c4030180eb0083358813cd3

691e170c5e42dd7d488b9d47396b633a981640f8ab890032246bf37704d4d865

a4935e31150a9d6cd00c5a69b40496fea0e6b49bf76f123ea34c3b7ea6f86ce6

c4b6d7e88a63945f3e0768657e299d2d3a4087266b4fc6b1498e2435e311f5d1

cb5e40c6702e8fe9aa64405afe462b76e6fe9479196bb58118ee42aba0641c04

d84a9f7b1d70d83bd3519c4f2c108af93b307e8f7457e72e61f3fa7eb03a5f0d

f4a77e9970d53fe7467bdd963e8d1ce44a2d74e3e4262cd55bb67e7b3001c989

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply