Harvester: Nation-State-Backed Group Uses New Toolset to Target Victims in South Asia

The most notable thing about this campaign is the previously unseen toolset deployed by the attackers.

The attackers deployed a custom backdoor called Backdoor.Graphon on victim machines alongside other downloaders and screenshot tools that provided the attackers with remote access and allowed them to spy on user activities and exfiltrate information.

Analysts do not know the initial infection vector that Harvester used to compromise victim networks, but the first evidence found of Harvester activity on victim machines was a malicious URL. The group then started to deploy various tools, including its custom Graphon backdoor, to gain remote access to the network. The group also tried to blend its activity in with legitimate network traffic by leveraging legitimate CloudFront and Microsoft infrastructure for its command and control (C&C) activity.

Tools used:

Backdoor.Graphon – custom backdoor that uses Microsoft infrastructure for its C&C activity
Custom Downloader – uses Microsoft infrastructure for its C&C activity
Custom Screenshotter – periodically logs screenshots to a file
Cobalt Strike Beacon – uses CloudFront infrastructure for its C&C activity (Cobalt Strike is an off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files)
Metasploit – an off-the-shelf modular framework that can be used for a variety of malicious purposes on victim machines, including privilege escalation, screen capture, to set up a persistent backdoor, and more.

The custom downloader used by the attackers leverages the Costura Assembly Loader. Once on a victim machine, it checks if the following file exists:

[ARTEFACTS_FOLDER]winser.dll
If the file does not exist it downloads a copy from the following URL:

hxxps://outportal[.]azurewebsites.net/api/Values_V2/Getting3210
Next, the sample creates the following file if it does not exist:

“[ARTEFACTS_FOLDER]Microsoft Services[.]vbs”
Then it sets the following registry value to create a loadpoint:

HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun”MicrosoftSystemServices” = “[ARTEFACTS_FOLDER]Microsoft Services[.]vbs”
Finally it opens an embedded web browser within its own UI using the following URL:

hxxps://usedust[.]com
While it initially appeared that this URL may have been a loadpoint for Backdoor.Graphon, upon further investigation it appears to be a decoy to confuse any affected users.

Backdoor.Graphon is compiled as a .NET PE DLL with export “Main” and the following PDB file name:

D:OfficeProjectsUpdated Working Due to Submission4.5Outlook_4.5Outlook 4.5.2 32 bit New without presistancyNPServicesbinx86DebugNPServices[.]pdb
When this is executed, it attempts to communicate with the attackers’ C&C servers, which are hosted on Microsoft infrastructure.

hxxps://microsoftmsdn[.]azurewebsites.net/api/Values_V1/AuthAsyncComplete_V1?Identity=[INFECTION_ID]
hxxps://microsoftsgraphapi[.]azurewebsites.net/api/Values_V1/AuthAsyncComplete_V1?Identity=[INFECTION_ID]
hxxps://msdnmicrosoft.azurewebsites[.]net/api/Values_V1/AuthAsyncComplete_V1?Identity=[INFECTION_ID]
The attackers then run commands to control their input stream and capture the output and error streams. They also periodically send GET requests to the C&C server, with the content of any returned messages extracted and then deleted.

Data that cmd.exe pulled from the output and error streams is encrypted and sent back to the attackers’ servers.

The custom screenshot tool was also packed with the Costura Assembly Loader. The screenshot tool takes photos that it saves to a password-protected ZIP archive for exfiltration, with all archives older than a week deleted.

Sign Up For Threat Alerts

Loading...
Threats Icon

Dec 08, 2022

Trigona (._locked) ransomware virus

Trigona is ransomware that encrypts files and appends the "._locked" extension to filenames. Also, it...

Threats Icon

Dec 08, 2022

Threat Actors Target Exposed Remote Desktop Protocol...

Threat actors were discovered targeting open Remote Desktop Protocol (RDP) ports with variants from a...

Threats Icon

Dec 07, 2022

Redigo Backdoor Malware Targets Redis Servers

The Redigo backdoor is written in the Go programming language and targets Redis servers vulnerable...

Threats Icon

Dec 06, 2022

DuckLogs MaaS (Malware-as-a-Service) Provides Sophisticated Features

DuckLogs is MaaS (Malware-as-a-Service) advertised on cybercrime forums with a range of features including remote...

Threats Icon

Dec 05, 2022

WannaRen Returns As Life Ransomware

WannaRen ransomware appeared on the threat landscape in 2020 and reemerged in 2022 as Life...

Threats Icon

Dec 04, 2022

Alert (AA22-335A) Cuba Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are...

Threats Icon

Dec 01, 2022

UNC4191 Threat Group Targets Entities In The...

The UNC4191 threat group was discovered targeting entities in the Philippines with custom malware and...

Threats Icon

Nov 30, 2022

Emotet Leads To Quantum Ransomware Infection

Threat actors were observed using Emotet to gain access to the victim's network and deploy...

Threats Icon

Nov 29, 2022

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that...

Threats Icon

Nov 29, 2022

Ransomware Roundup: Cryptonite Ransomware

FortiGuard Labs has reported on Cryptonite ransomware, which was found to target Microsoft Windows machines...

Threats Icon

Nov 28, 2022

Operation Typhoon: The Cyber Sea Lotus Coveting...

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions...

Threats Icon

Nov 27, 2022

IL-Cert Alert – Active phishing campaign in...

There is a new phishing campaign in Israel. The malware relies upon user execution. The...

Threats Icon

Nov 27, 2022

Emotets Vacation Is Over: No Rest For...

Emotet started as a banking Trojan in spreading via spam campaigns by imitating financial statements,...

Threats Icon

Nov 24, 2022

Aurora: A Rising Stealer Flying Under The...

Aurora is a multipurpose botnet with data collection, information stealer, downloading, and remote access Trojan...

Threats Icon

Nov 23, 2022

Analysis Of The ViperSoftX And VenomSoftX Information...

Torrents and software-sharing sites are being used to target victims across the globe with variants...