Graphon Backdoor Description
The Graphon Backdoor is a custom-built backdoor threat that is being deployed as part of the threatening activities of a newly discovered APT (Advanced Persistent Threat) group named Harvester. The hackers appear to be focused on conducting espionage attack campaigns against targets located in South Asia, in Afghanistan specifically. The detected victims operate in several different sectors, including IT, government and telecommunication. For now, it is not immediately clear which nation-state is backing Harvester's threatening activities.
The Graphon Backdoor is delivered to the compromised systems by another custom-built threat that acts as a downloader. The backdoor is compiled as .NET PE DLL file. The corrupted file is dropped in the following location:
D:\OfficeProjects\Updated Working Due to Submission\4.5\Outlook_4.5\Outlook 4.5.2 32 bit New without presistancy\NPServices\bin\x86\Debug\NPServices[.]pdb
Graphon tries to establish a connection with its Command-and-Control (C2, C&C) servers. The hackers host the backdoor's C2 infrastructure on Microsoft infrastructure to mask the suspicious outbound traffic. When fully deployed, Graphon will start obtaining specific data, which is then encrypted and exfiltrated to the attacker's servers.