Description
Harvester group is targeting telecommunications, government, and information technology sectors by using custom backdoor to exploit victims’ devices remotely and gained access to victim’s machine. The attacker is using legitimate traffic by utilizing genuine CloudFront and Microsoft framework for its command and control (C&C) to bypass any detection mechanism.
The Harvester Group attackers are using various tools like Backdoor, Graphon (Custom Backdoor to connect to C&C), Custom Downloader and Screenshotter Metasploit along with Cobalt Strike Beacon.
Indicators of compromise (IOCs)
File hashes:
0740cc87a7d028ad45a3d54540b91c4d90b6fc54d83bb01842cf23348b25bc42
303f93cc47c58e64665f9e447ac11efe5b83f0cfe4253f3ff62dd7504ee935e0
3c34c23aef8934651937c31be7420d2fc8a22ca260f5afdda0f08f4d3730ae59
3c8fa5cc50eb678d9353c9f94430eeaa74b36270c13ba094dc5c124259f0dc31
470cd1645d1da5566eef36c6e0b2a8ed510383657c4030180eb0083358813cd3
691e170c5e42dd7d488b9d47396b633a981640f8ab890032246bf37704d4d865
a4935e31150a9d6cd00c5a69b40496fea0e6b49bf76f123ea34c3b7ea6f86ce6
c4b6d7e88a63945f3e0768657e299d2d3a4087266b4fc6b1498e2435e311f5d1
cb5e40c6702e8fe9aa64405afe462b76e6fe9479196bb58118ee42aba0641c04
d84a9f7b1d70d83bd3519c4f2c108af93b307e8f7457e72e61f3fa7eb03a5f0d
f4a77e9970d53fe7467bdd963e8d1ce44a2d74e3e4262cd55bb67e7b3001c989
Recommendations
Workaround:
• Ensure Operating System and Software are updated with latest security patches. • Analyze Firewall and Internet proxy logs for the presence of mentioned IOCs. • Avoid handling files or URL links in emails, chats or shared folders from untrusted sources. • Provide phishing awareness trainings to your employees/contractors. • Keep Anti-malware solutions at endpoint and network level updated at all time. • Deploy Endpoint Detection & Response (EDR) tools to detect latest malwares and suspicious activities on endpoints
References
Https://Symantec-enterprise-blogs.security.com/blogs/threat-]intelligence/harvester-new-apt-attacks-asia
Comments