New ‘HrServ.dll’ Web Shell Detected in APT Attack Targeting Afghan Government

New 'HrServ.dll' Web Shell Detected in APT Attack Targeting Afghan Government

November 25, 2023 at 12:18AM

An unnamed government entity in Afghanistan fell victim to a sophisticated cyber attack involving a previously unknown web shell called HrServ. The web shell exhibits advanced features and allows threat actors to control the compromised server and carry out various malicious activities. The attack involves the use of a remote administration tool and a batch script. The malware author’s non-native English language skills and the presence of typos suggest potential financial motivations behind the attack.

Key Takeaways from the Meeting Notes:

– An unspecified government entity in Afghanistan was targeted by a previously undocumented web shell called HrServ in what appears to be an advanced persistent threat (APT) attack.
– The web shell, named “hrserv.dll,” has sophisticated features such as custom encoding methods and in-memory execution.
– The Russian cybersecurity firm Kaspersky identified variants of the malware dating back to early 2021.
– Web shells are malicious tools that provide remote control over a compromised server, allowing threat actors to carry out various post-exploitation activities.
– The attack chain involves the use of the PAExec remote administration tool, masquerading as a Microsoft update, and executing a Windows batch script.
– The batch script executes the web shell as a service to launch an HTTP server capable of parsing incoming requests.
– The web shell mimics Google services in order to blend malicious requests with benign traffic and avoid detection.
– The web shell processes specific functions based on the parameters in the HTTP requests, including spawning threads, creating files, reading files, and accessing Outlook Web App HTML data.
– A parameter called “cp” in the requests determines the next course of action.
– If the value of “cp” is 6 in a POST request, it triggers code execution and creates a new thread before entering a sleep state.
– The web shell can activate a stealthy “multifunctional implant” in memory to erase the forensic trail by deleting the initial files.
– The threat actor behind the web shell is unknown, but the presence of typos in the source code suggests that the malware author is not a native English speaker.
– The malware’s characteristics indicate financially motivated malicious activity, although its operational methodology exhibits similarities to APT behavior.

For more exclusive content, follow us on Twitter and LinkedIn.

Full Article