Harvester APT Goes After IT & Government Entities in South Asia
The Harvester APT appears to be a newly identified cybercrime group. Their efforts are focused in South Asia, but the majority of their victims appear to be companies and entities situated in Afghanistan. Judging by the tools that the criminals are relying on, it is very likely that their ultimate goal is espionage and data theft. One of the signature implants they use is a previously undetected backdoor called Graphoc. It does not share similarities with malware that other Advanced Persistent Threat (APT) actors use.
Harvest APT Hackers Use Public and Private Hacking Tools
The currently tracked Harvester APT campaign focuses on entities in the telecommunications, information technology, and government sectors. However, it is possible that not all victims have been identified yet. The Graphon Backdoor implant appears to be the primary weapon in the arsenal of the hackers. They have been using it to extract data, spy on user activities through remote access, and to also run 3rd-party utilities such as Cobalt Strike Beacon and Metasploit.
It is worth noting that the criminals are hosting their command-and-control servers on the legitimate Microsoft Azure infrastructure. This is not an uncommon trick since it enables them to mix their malicious traffic with legitimate one, and go around firewalls – most network administrators do not block legitimate services like Microsoft Azure. There is not enough information about Harvester APT yet, but researchers are suspecting that this might a state-backed actor. However, the country of origin is impossible to identify yet. Last but not least, the current Harvester APT attack campaign is still ongoing, and companies and entities in the South Asian region should take the necessary measures to secure their systems and data. Up-to-date, reputable antivirus software is already capable of identifying and eliminating the Graphon Backdoor's files, components, and network connections.