The most notable thing about this campaign is the previously unseen toolset deployed by the attackers.
The attackers deployed a custom backdoor called Backdoor.Graphon on victim machines alongside other downloaders and screenshot tools that provided the attackers with remote access and allowed them to spy on user activities and exfiltrate information.
Analysts do not know the initial infection vector that Harvester used to compromise victim networks, but the first evidence found of Harvester activity on victim machines was a malicious URL. The group then started to deploy various tools, including its custom Graphon backdoor, to gain remote access to the network. The group also tried to blend its activity in with legitimate network traffic by leveraging legitimate CloudFront and Microsoft infrastructure for its command and control (C&C) activity.
Backdoor.Graphon – custom backdoor that uses Microsoft infrastructure for its C&C activity
Custom Downloader – uses Microsoft infrastructure for its C&C activity
Custom Screenshotter – periodically logs screenshots to a file
Cobalt Strike Beacon – uses CloudFront infrastructure for its C&C activity (Cobalt Strike is an off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files)
Metasploit – an off-the-shelf modular framework that can be used for a variety of malicious purposes on victim machines, including privilege escalation, screen capture, to set up a persistent backdoor, and more.
The custom downloader used by the attackers leverages the Costura Assembly Loader. Once on a victim machine, it checks if the following file exists:
If the file does not exist it downloads a copy from the following URL:
Next, the sample creates the following file if it does not exist:
Then it sets the following registry value to create a loadpoint:
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun”MicrosoftSystemServices” = “[ARTEFACTS_FOLDER]Microsoft Services[.]vbs”
Finally it opens an embedded web browser within its own UI using the following URL:
While it initially appeared that this URL may have been a loadpoint for Backdoor.Graphon, upon further investigation it appears to be a decoy to confuse any affected users.
Backdoor.Graphon is compiled as a .NET PE DLL with export “Main” and the following PDB file name:
D:OfficeProjectsUpdated Working Due to Submission4.5Outlook_4.5Outlook 4.5.2 32 bit New without presistancyNPServicesbinx86DebugNPServices[.]pdb
When this is executed, it attempts to communicate with the attackers’ C&C servers, which are hosted on Microsoft infrastructure.
The attackers then run commands to control their input stream and capture the output and error streams. They also periodically send GET requests to the C&C server, with the content of any returned messages extracted and then deleted.
Data that cmd.exe pulled from the output and error streams is encrypted and sent back to the attackers’ servers.
The custom screenshot tool was also packed with the Costura Assembly Loader. The screenshot tool takes photos that it saves to a password-protected ZIP archive for exfiltration, with all archives older than a week deleted.
Sign Up For Threat Alerts
Dec 08, 2022
Trigona (._locked) ransomware virus
Trigona is ransomware that encrypts files and appends the "._locked" extension to filenames. Also, it...
Dec 08, 2022
Threat Actors Target Exposed Remote Desktop Protocol...
Threat actors were discovered targeting open Remote Desktop Protocol (RDP) ports with variants from a...
Dec 07, 2022
Redigo Backdoor Malware Targets Redis Servers
The Redigo backdoor is written in the Go programming language and targets Redis servers vulnerable...
Dec 06, 2022
DuckLogs MaaS (Malware-as-a-Service) Provides Sophisticated Features
DuckLogs is MaaS (Malware-as-a-Service) advertised on cybercrime forums with a range of features including remote...
Dec 05, 2022
WannaRen Returns As Life Ransomware
WannaRen ransomware appeared on the threat landscape in 2020 and reemerged in 2022 as Life...
Dec 04, 2022
Alert (AA22-335A) Cuba Ransomware
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are...
Dec 01, 2022
UNC4191 Threat Group Targets Entities In The...
The UNC4191 threat group was discovered targeting entities in the Philippines with custom malware and...
Nov 30, 2022
Emotet Leads To Quantum Ransomware Infection
Threat actors were observed using Emotet to gain access to the victim's network and deploy...
Nov 29, 2022
RansomExx Upgrades to Rust
IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that...
Nov 29, 2022
Ransomware Roundup: Cryptonite Ransomware
FortiGuard Labs has reported on Cryptonite ransomware, which was found to target Microsoft Windows machines...
Nov 28, 2022
Operation Typhoon: The Cyber Sea Lotus Coveting...
Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions...
Nov 27, 2022
IL-Cert Alert – Active phishing campaign in...
There is a new phishing campaign in Israel. The malware relies upon user execution. The...
Nov 27, 2022
Emotets Vacation Is Over: No Rest For...
Emotet started as a banking Trojan in spreading via spam campaigns by imitating financial statements,...
Nov 24, 2022
Aurora: A Rising Stealer Flying Under The...
Aurora is a multipurpose botnet with data collection, information stealer, downloading, and remote access Trojan...
Nov 23, 2022
Analysis Of The ViperSoftX And VenomSoftX Information...
Torrents and software-sharing sites are being used to target victims across the globe with variants...