Malicious Email Campaign Spreading Data Stealing Trojans Spotted in Wild

Researchers at Symantec have detailed a new nation-state-backed hacking group – Harvester. They named this according to the purpose it’s being in wild.

The Harvester group’s motto is to steal intelligence from organizations in South Asia, specifically IT, government, and telecom firms. It’s found to be using a combination of publicly available and novel tools.

Harvester Hacking Group

Harvester: A New Nation-State Backed Hacking Group in Wild
Harvester: A New Nation-State Backed Hacking Group in Wild

Symantec researchers finding – Harvester is a relatively new hacking group that started its operations in June this year. Since then, it’s been found to be targeting telecom, IT, and government organizations in South Asian countries.

Researchers were unable to determine the origin of this hacking group, as the pattern it follows and tools it uses aren’t matching with anyone prior. But, they’re linked to an unknown nation-state, considering the purpose of reconnaissance. In a detailed note, researchers said the group’s using a combination of the following tools;

  • Metasploit – for various purposes like privilege escalation, screen capture, to set up a persistent backdoor, etc.
  • Cobalt Strike Beacon – using the CloudFront infrastructure for its C&C activity, and using it for injecting processes, executing commands, uploading and downloading of files, and impersonation.
  • Backdoor.Graphon – a custom backdoor using Microsoft infrastructure for its C&C activity.
  • Custom Downloader – a Microsoft infrastructure used for its C&C activity.
  • Custom Screenshotter – used for logging screenshots to a file periodically.

While the first two are publicly available, the latter three tools are custom-made. Researchers haven’t spotted the initial vector yet, but they studied the purposes of available tools in a targeted machine.

Harvester is able to blend the C2 communications and mix it with legitimate traffic coming from CloudFront and Microsoft infrastructure. This way, they’re able to hide from their activities. Also, the custom downloader is able to create necessary files, add a registry value for a new load-point, and open a website (hxxps://usedust[.]com) in the system’s embedded web browser.

Other Trending News:-  News

LEAVE A REPLY

Please enter your comment!
Please enter your name here