Harvester APT

Details about a previously unknown APT (Advanced Persistent Threat) group have been revealed in a new report by threat researchers. The hacker group is tracked as Harvester, and its detected threatening operations consist of espionage attacks against targets in South Asia, mainly in Afghanistan. The targeted corporations stem from several different industry sectors, including government, telecommunications and IT. The focus on Afghanistan, in particular, is interesting, having in mind the recent major events that took place there, such as the decision of the U.S. to withdraw its army after maintaining a presence in the country for two decades.

Although at the moment there isn't enough data to pinpoint the exact nation-state that is backing Harvester's activities, certain evidence such as the group's attacks not being financially motivated and the use of several custom-built threatening tools point towards it being a state-sponsored cybercrime outfit definitely.

Threatening Arsenal

The Harvester APT employs a mix of custom malware and publicly available tools to create a backdoor on the compromised machines and then siphon information from them. The initial attack vector through which the attackers establish a foothold inside the targeted organization remains unknown. However, the hackers' activities after that have been pretty clear.

First, they deploy a custom downloader on the breached system. The malware then delivers the next-stage payload - a custom backdoor threat named Backdoor.Graphon. Additional payloads also have been discovered as part of Harvester's attacks. These include a custom screenshot grabber, the Cobalt Strike Beacon tool, commonly abused by cybercriminals, and Metasploit, a modular framework that can be used for numerous intrusive purposes. 

Attack Details

Through the combination of deployed threats, Harvester can perform various harmful actions. It can capture photos of the system's screen that are then stored in a password-protect ZIP file. The file is then exfiltrated to the Command-and-Control (C2, C&C) infrastructure of the operation. Via the Cobalt Strike Beacon, the cybercriminals can execute arbitrary commands, manipulate the file system, collect files, start or terminate processes and more.

On the other hand, Metasploit allows them to achieve privilege escalation, set up a persistence mechanism for their backdoor, screen capture, etc. To hide the communication between the deployed threats and the C2 servers, Harvesters attempt to blend the abnormal outgoing traffic with the normal network traffic of the compromised organization by leveraging legitimate CloudFront and Microsoft infrastructure.