In recent attacks, an unknown state-sponsored threat group used a malware toolset targeting several IT firms and telecommunication providers in Asian countries, especially the southern part of the continent.
The researchers found a tool called Harvester. The threat group uses it to gather essential data in a top-tier espionage campaign against a vital part of a country’s system, such as IT firms, telecommunication providers, and government entities.
Harvester’s tool has not been encountered in the hacking ecosystem ever before, showing that the malicious threat actor is state-sponsored and has no affiliation to any known enemy today. Researchers also added that the harvester group uses both modified malware and openly public tools in its campaigns. The earliest discovery of their attacks was around June of this year, with a recent activity identified in October.
Further evidence suggests that the hackers are state-sponsored because of their capabilities, custom development, and target selection.
What are the tricks and strategies used by the threat actors to infiltrate telco companies and other targets?
While the researchers could not figure the initial infection transmitter, some evidence shows a malicious URL being abused for the same purpose.
Graphon provides the threat actors remote access to the network. It disguises its presence by combining command-and-control control communication activity with the authorised network traffic from Microsoft infrastructure and CloudFront.
In addition, analysts have found an intriguing point with the way the custom downloader functions. The downloader creates necessary files inside the system that adds a registry value for a new load-point, and in due course, it embeds a web browser at “hxxps://usedust[.]com.”
Even this shows where ‘Backdoor.Graphon’ is collected from; actors are just using the URL as a distraction to confuse.
The modified screenshot tool captures images from the desktop and saves them to a ZIP archive protected by a password, pulled out through Graphon. All protected ZIP is held for a week, so anything older than the given time is deleted automatically.
This investigation has not yet reached its conclusion because the researchers do not yet have sustainable evidence to locate the exact location of the threat actors and to whom they get their sponsorship.
Currently, the Harvester group is still active in the wild and targeting several organisations in Afghanistan.
