Espionage Group ‘Harvester’ Uses New Tools to Target South Asia and Focuses on Afghanistan

By Supriyo Chatterji / October 18, 2021

South-Asian organizations are being targeted by a previously unknown cybersecurity actor. This possibly nation-state-backed entity is known as the Harvester group and uses custom malware as well as open-source tools to perpetrate attacks. Its most recent activities have focused on Afghanistan, where it apparently attempted information theft via a previously unseen toolset. In its most recent October 2021 activities, it targeted several sectors, including telecommunications, government, and information technology (IT).

To conduct the cybersecurity attack, the group used a custom backdoor called Backdoor.Graphon. Once this was installed on targeted devices, they could spy on user activity and exfiltrate information. The first evidence found of this infection appeared as a URL from where the group put in additional tools like screenshot taker and downloaders. It tried to mask its activity with CloudFront and Microsoft infrastructure via the command and control (C&C) activity feature.

In addition, they used Cobalt Strike Beacon and Metasploit to increase their operational process. The first uses CloudFront infrastructure to bolster its C&C functions, which, in turn, enable it to perform several functions like execute commands, prioritize processes, mimic processes, and up/download files. Metasploit uses a modular framework for several malicious purposes via virtual machines, including privilege escalation, screen capture, persistent backdoor setup, etc.

They also used the Costura Assembly Loader, which applies the following functions:

Upon execution, it attempts to communicate with the attackers’ C&C servers, which are hosted on Microsoft infrastructure:

After this, the attackers will run commands that allow them to control their input and capture along with error streams. The hackers would also send frequent GET requests to the C&C server, and the return messages are extracted and deleted. Meanwhile, cmd.exe pulls and encrypts for output and error streams to send to the attackers. The screenshot taker also compiled the pictures in a password-protected ZIP archive for exfiltration while all achieved pics over one week old are deleted.

Security experts say that Harvester’s activities border on espionage. Since Afghanistan is going through a political upheaval, the group’s motivations remain unclear, although its methods point towards nation-state-sponsored activity.

This year we've also seen a Chinese APT group called ‘SharpPanda’ developing and refining a custom backdoor that enabled it to conduct sophisticated cyber-espionage against governments in the Southeast Asian region.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari