An advanced persistent threat (APT) attack is believed to have been launched against an unidentified government organisation in Afghanistan using the web shell HrServ, which had not been previously reported.
In an investigation released this week, Kaspersky security researcher Mert Degirmenci noted that the web shell, a dynamic-link library (DLL) called "hrserv.dll," demonstrates "sophisticated features such as custom encoding methods for client communication and in-memory execution."
According to the Russian cybersecurity company, these artefacts' compilation timestamps allowed it to identify malware variants that go all the way back to early 2021.
Usually malevolent, web shells allow for remote control over a compromised system. Threat actors can use it to perform a variety of post-exploitation tasks, including as data theft, server monitoring, and network lateral movement, once it has been uploaded.
The attack chain starts with the remote administration programme PAExec, which is a substitute for PsExec and is used to create scheduled tasks that pretend to be Microsoft updates ("MicrosoftsUpdate") and are then set up to run a Windows batch script ("JKNLA.bat").
The absolute path to a DLL file ("hrserv.dll"), which is then run as a service to start an HTTP server that can interpret incoming HTTP requests and take further action, is accepted as an argument by the batch script.
"Based on the type and information within an HTTP request, specific functions are activated," Degirmenci stated. He also stated that "the GET parameters used in the hrserv.dll file, which is used to mimic Google services, include 'hl.'"
Web Shell Found During APT Assault
The threat actor is probably attempting to blend these rogue requests into regular network traffic in an effort to make it more difficult to discern between legitimate and malicious activity.
Those HTTP GET and POST requests contain a parameter called cp, whose value, which ranges from 0 to 7, dictates what happens next. This covers reading files, writing arbitrary data to files, launching new threads, and accessing Outlook Web App HTML data.
A new thread is launched and the process enters a sleep state if the value of cp in the POST request equals "6," which initiates code execution by parsing the encoded data and copying it into memory.
Online safety
The web shell can also trigger the execution of a covert "multifunctional implant" in memory, which removes the original DLL and batch files, together with the "MicrosoftsUpdate" job, thereby wiping off the forensic trail.
Although the threat actor responsible for the web shell is still unknown, the source code contains multiple typos that suggest the malware's creator is not a native English speaker.
"Notably, the web shell and memory implant use different strings for specific conditions," Degirmenci said. "In addition, the memory implant features a meticulously crafted help message."
"In light of these elements, the malware's traits are more in line with malevolent behaviour driven by financial gain. Nonetheless, there are parallels between its operational approach and APT behaviour.
Comments