In a recent cyber onslaught, an undisclosed Afghan governmental organization fell victim to a sophisticated attack orchestrated by an Advanced Persistent Threat (APT) group, featuring the deployment of a previously undocumented web shell named HrServ.
Kaspersky, a leading cybersecurity firm, disclosed that the web shell, identified as a dynamic-link library (DLL) named “hrserv.dll,” boasts advanced features such as customized encoding methods for client communication and in-memory execution. Detailed analysis by Kaspersky researcher Mert Degirmenci, published this week, uncovered the intricacies of the attack.
The Russian cybersecurity experts traced variants of the malware back to early 2021, drawing on compilation timestamps of artifacts associated with the malicious software.
Web shells, like HrServ, are malicious tools granting remote control over compromised servers. Once deployed, threat actors gain the ability to conduct a variety of post-exploitation activities, ranging from data theft and server monitoring to lateral movement within the network.
The attack sequence involves the utilization of the PAExec remote administration tool, serving as an alternative to PsExec. This tool acts as a launchpad to create a scheduled task masquerading as a seemingly benign Microsoft update (“MicrosoftsUpdate”). Subsequently, this task is configured to execute a Windows batch script (“JKNLA.bat”).
The Batch script, taking the absolute path to the DLL file (“hrserv.dll”) as an argument, executes the file as a service, initiating an HTTP server capable of parsing incoming requests for subsequent actions.
Mert Degirmenci highlighted, “Based on the type and information within an HTTP request, specific functions are activated.” He further pointed out that the GET parameters within the hrserv.dll file, mimicking Google services, include ‘hl,’ likely intended to camouflage rogue requests within network traffic.
Embedded in HTTP GET and POST requests is a parameter called “cp,” with values ranging from 0 to 7 determining the next set of actions. These actions encompass spawning threads, creating files with arbitrary data, reading files, and accessing Outlook Web App HTML data.
If the “cp” value in the POST request equals “6,” it triggers code execution by parsing encoded data, copying it into memory, creating a new thread, and inducing a sleep state.
Additionally, the web shell can activate the execution of a stealthy “multifunctional implant” in memory, tasked with erasing forensic evidence by deleting the “MicrosoftsUpdate” job, as well as the initial DLL and batch files.
Although the identity of the threat actor remains unknown, the presence of numerous typos in the source code suggests a non-native English speaker as the malware author. Degirmenci noted, “Notably, the web shell and memory implant use different strings for specific conditions,” concluding that “the malware’s characteristics align more with financially motivated malicious activity. However, its operational methodology exhibits similarities with APT behavior.”