Harvester: Nation-State-Backed Group Uses New Toolset to Target Victims in South Asia

The most notable aspect of this campaign is the previously unseen toolset used by the attackers. The attackers deployed a custom backdoor called Backdoor.Graphon alongside additional tools such as downloaders and screenshot utilities, providing remote access and enabling data exfiltration.

Initial Infection and Attack Strategy

The exact initial infection vector used by the Harvester group remains unknown. However, the first sign of Harvester activity on victim machines was a malicious URL. After establishing access, the attackers deployed various tools, including their custom Graphon backdoor, to gain persistent remote access. They also attempted to blend their activities with legitimate network traffic by leveraging CloudFront and Microsoft infrastructure for command and control (C&C) operations.

Tools Used by the Attackers

1. Backdoor.Graphon

• Custom backdoor utilizing Microsoft infrastructure for C&C communication.

2. Custom Downloader

• Uses Microsoft infrastructure for C&C activities.
• Leverages Costura Assembly Loader to execute malicious payloads.
• Checks for the existence of:[ARTEFACTS_FOLDER]winser.dll
  • If missing, downloads a copy from:
  hxxps://outportal[.]azurewebsites.net/api/Values_V2/Getting3210
  • Creates the file:
  "[ARTEFACTS_FOLDER]Microsoft Services[.]vbs"
  • Sets registry value for persistence:
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MicrosoftSystemServices" = "[ARTEFACTS_FOLDER]Microsoft Services[.]vbs"
  • Opens an embedded browser at:
  hxxps://usedust[.]com
  • This URL appears to be a decoy to mislead victims.

3. Custom Screenshot Tool

• Captures and logs screenshots.
• Uses Costura Assembly Loader.
• Saves images to a password-protected ZIP archive.
• Deletes archives older than one week.

4. Cobalt Strike Beacon

• Uses CloudFront infrastructure for C&C.
• Executes commands, injects processes, elevates privileges, and exfiltrates files.

5. Metasploit Framework

• Off-the-shelf tool for:
  • Privilege escalation
  • Screen capture
  • Backdoor persistence
  • Additional malicious activities

Backdoor.Graphon Execution and C&C Communication

• Compiled as: .NET PE DLL
• Exported Function: Main
• PDB File Path:D:\OfficeProjects\Updated Working Due to Submission4.5\Outlook_4.5\Outlook 4.5.2 32 bit New without presistancy\NPServices\bin\x86\Debug\NPServices[.]pdb

C&C Server Communication

Once executed, Backdoor.Graphon attempts to connect to attacker-controlled servers hosted on Microsoft infrastructure:

hxxps://microsoftmsdn[.]azurewebsites.net/api/Values_V1/AuthAsyncComplete_V1?Identity=[INFECTION_ID]
hxxps://microsoftsgraphapi[.]azurewebsites.net/api/Values_V1/AuthAsyncComplete_V1?Identity=[INFECTION_ID]
hxxps://msdnmicrosoft.azurewebsites[.]net/api/Values_V1/AuthAsyncComplete_V1?Identity=[INFECTION_ID]

Attacker Command Execution

• Attackers send GET requests to C&C servers.
• Responses are extracted and deleted after execution.
• cmd.exe retrieves output and error streams.
• Data is encrypted and sent back to attacker-controlled servers.

Conclusion

The Harvester group has employed a sophisticated toolset to maintain persistence, evade detection, and exfiltrate sensitive data. Their use of legitimate cloud infrastructure for C&C operations highlights their attempt to blend in with normal network activity. Security teams should monitor for suspicious C&C activity, unusual registry modifications, and unauthorized data exfiltration attempts to mitigate this threat.