An unspecified Afghan government entity has been targeted by a previously undocumented web shell called HRServ in what is suspected to be an advanced persistent threat (APT) attack.
The web shell, a dynamic-link library (DLL) named “hrserv.dll,” features “sophisticated features such as custom encoding methods for client communication and in-memory execution,” Kaspersky security researcher Mert Degirmenci SAYS in an analysis published this week.
The Russian cybersecurity company says it has identified malware variants dating back to early 2021 based on compilation mixes of these artifacts.
Web shells are common malicious tools which provides remote control of a compromised server. Once uploaded, it allows threat actors to perform a variety of post-exploitation activities, including data theft, server monitoring, and later advancement within the network.
The attack chain includes PAExec remote management tool, an alternative to PsExec which is used as a launchpad to create a scheduled task disguised as a Microsoft update (“MicrosoftsUpdate”), which is then configured to execute a Windows batch script (“JKNLA.bat”) .
The Batch script accepts as an argument the absolute path to a DLL file (“hrserv.dll”) which is then executed as a service to start an HTTP server capable of parsing incoming HTTP requests for follow-on actions.
“Based on the type and information within the HTTP request, specific functions are activated,” said Degirmenci, adding “the GET parameters used in the hrserv.dll file, used to impersonate Google services, includes ‘hl.'”
This is likely an attempt by the threat actor to mix these rogue requests with network traffic and make it more challenging to distinguish malicious activity from benign events.
Embedded within HTTP GET and POST requests is a parameter called cp, whose value – from 0 to 7 – determines the next action. This includes spawning new threads, creating files with arbitrary data written to them, reading files, and accessing Outlook Web App HTML data.
If the value of cp in the POST request is equal to “6,” it triggers code execution by parsing the encoded data and copying it to memory, following which a new string is created and the process enters the sleep state.
The web shell is also able to activate the implementation of a hidden “multifunctional implant” in memory responsible for erasing the forensic trail by deleting the “MicrosoftsUpdate” job as well as the initial DLL and batch files.
The threat actor behind the web shell is currently unknown, but the presence of several typos in the source code indicates that the malware author is not a native English speaker.
“In particular, the web shell and memory implant use different strings for specific conditions,” concluded Degirmenci. “Also, the memory implant has a well-crafted help message.”
“Considering these factors, the malware’s characteristics are more consistent with the financial motivation of malicious activity. However, its operational method shows similarities with the behavior of APT.”