image
A previously unseen advanced persistent threat (APT) group dubbed Harvester by researchers is attacking telcos, IT companies and government-sector targets in a campaign that’s been ongoing since June. According to a Symantec analysis, the group sports a veritable cornucopia of advanced and custom tools, and it’s on a quest to carry out espionage activities in Afghanistan and elsewhere in that region. As of October, the campaign was still ongoing, looking to dig up a bounty of sensitive data. A Sharp Set of Tools Harvester has invested in a range of tools for scything through organizations’ defenses, Symantec found, including the “Graphon” custom backdoor. Graphon is deployed alongside a tool for gathering screenshots and downloaders for other malware and tools – offering a host of remote-access and data-exfiltration capabilities. “We do not know the initial infection vector that Harvester used to compromise victim networks, but the first evidence we found of Harvester activity on victim machines was a malicious URL,” according to Symantec’s writeup. “The group then started to deploy various tools, including its custom Graphon backdoor, to gain remote access to the network.” The APT also attempts to avoid notice by using legitimate CloudFront and Microsoft infrastructure for its command-and-control (C2) activity, in a bid to go unnoticed amidst legitimate network traffic. The primary tools used by Harvester are as follows: Graphon: A custom backdoor that uses Microsoft…

Source