Espionage Group ‘Harvester’ Uses New Tools to Target South Asia and Focuses on Afghanistan

• Harvester, a previously unknown hacker group, is using new tools in its espionage actions targeted at South Asia.
• The actors use both custom and open source tools to conduct their nefarious activities, and they seem to be nation-state-backed.
• The group’s most recent activity was in October 2021, with a focus on Afghanistan.

South-Asian organizations are being targeted by a previously unknown cybersecurity actor. This possibly nation-state-backed entity is known as the Harvester group and uses custom malware as well as open-source tools to perpetrate attacks. Its most recent activities have focused on Afghanistan, where it apparently attempted information theft via a previously unseen toolset. In its most recent October 2021 activities, it targeted several sectors, including telecommunications, government, and information technology (IT).

To conduct the cybersecurity attack, the group used a custom backdoor called Backdoor.Graphon. Once this was installed on targeted devices, they could spy on user activity and exfiltrate information. The first evidence found of this infection appeared as a URL from where the group put in additional tools like screenshot taker and downloaders. It tried to mask its activity with CloudFront and Microsoft infrastructure via the command and control (C&C) activity feature.

In addition, they used Cobalt Strike Beacon and Metasploit to increase their operational process. The first uses CloudFront infrastructure to bolster its C&C functions, which, in turn, enable it to perform several functions like execute commands, prioritize processes, mimic processes, and up/download files. Metasploit uses a modular framework for several malicious purposes via virtual machines, including privilege escalation, screen capture, persistent backdoor setup, etc.

They also used the Costura Assembly Loader, which applies the following functions:

• Check if the "ARTEFACTS_FOLDER]\winser.dll" file exists.
• In case this file is not on the drive, the software will use a GET request to a URL to get it (hxxps://outportal[.]azurewebsites.net/api/Values_V2/Getting3210).
• Further, "[ARTEFACTS_FOLDER]\Microsoft Services[.]vbs" is created.
• The registry value then creates a loadpoint (HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"MicrosoftSystemServices" = "[ARTEFACTS_FOLDER]\Microsoft Services[.]vbs").
• After this, the software would open the "hxxps://usedust[.]com" embedded web browser within its own UI.
• This URL serves as a loadpoint for Backdoor.Graphon, which compiles with .NET PE DLL with export “Main” and the file name "D:\OfficeProjects\Updated Working Due to Submission\4.5\Outlook_4.5\Outlook 4.5.2 32 bit New without presistancy\NPServices\bin\x86\Debug\NPServices[.]pdb".

Upon execution, it attempts to communicate with the attackers’ C&C servers, which are hosted on Microsoft infrastructure:

• hxxps://microsoftmsdn[.]azurewebsites.net/api/Values_V1/AuthAsyncComplete_V1?Identity=[INFECTION_ID]
• hxxps://microsoftsgraphapi[.]azurewebsites.net/api/Values_V1/AuthAsyncComplete_V1?Identity=[INFECTION_ID]
• hxxps://msdnmicrosoft.azurewebsites[.]net/api/Values_V1/AuthAsyncComplete_V1?Identity=[INFECTION_ID]

After this, the attackers will run commands that allow them to control their input and capture along with error streams. The hackers would also send frequent GET requests to the C&C server, and the return messages are extracted and deleted. Meanwhile, cmd.exe pulls and encrypts for output and error streams to send to the attackers. The screenshot taker also compiled the pictures in a password-protected ZIP archive for exfiltration while all achieved pics over one week old are deleted.

Security experts say that Harvester’s activities border on espionage. Since Afghanistan is going through a political upheaval, the group’s motivations remain unclear, although its methods point towards nation-state-sponsored activity.

This year we've also seen a Chinese APT group called ‘SharpPanda’ developing and refining a custom backdoor that enabled it to conduct sophisticated cyber-espionage against governments in the Southeast Asian region.