In a recent investigation, a DLL file by the name of hrserv.dll was discovered. The file is a web shell that utilizes advanced features such as custom encoding methods for client communication and in-memory execution. Further analysis of the file resulted in the identification of related variants compiled in 2021, indicating a possible correlation between separate incidences of malicious activity.
The initial infection involves the PAExec.exe process creating a scheduled task on the system named MicrosoftsUpdate, which executes a .BAT file. The .BAT file accepts a file path argument, where the script is supplied with the hrserv.dll file that is subsequently copied to the System32 directory. Following this operation, the script configures a service via the system registry and the sc utility, activating the newly created service.
The hrserv.dll file exhibits a variety of advanced features such as client-server communication using custom encoding techniques, including Base64 encoding and FNV1A64 hashing algorithms. Specific functions are triggered based on the type and information within an HTTP request. It was also observed that the malicious activity intentionally mimics naming conventions used by Google, making it challenging to detect.
Upon receiving request parameters, the web shell is designed to carry out different functions such as creating files, reading files, and returning specific HTML data. Additionally, a code execution process is initiated under specific conditions, involving the registry path and custom-decoded POST data.
Post-establishing a foothold, specific commands are carried out via the memory implant to erase traces of previous malicious activity. The removal includes the deletion of the scheduled “MicrosoftsUpdate” job and both the initial DLL and batch files.
Variants of the hrserv web shell were found dating back to early 2021, exhibiting a slightly different URL pattern and distinct behavior in comparison to the current version. Moreover, a specific government entity in Afghanistan was identified as the sole victim of this malicious activity.
A careful examination of the analyzed malware variant suggests that it originates from at least 2021, exhibiting capabilities of initiating in-memory executions and utilizing distinct strings for specific conditions. While the malware’s characteristics point toward financially motivated activity, its operational methodology shares similarities with APT behavior.
Notably, the TTPs analyzed in this investigation did not reveal an association with any known threat actors. However, specific indicators, such as GET parameters and typos observed in help strings, may provide clues to the actor behind the samples.
The investigative efforts remain ongoing as analysts continue to monitor any related activity, aiming to unravel the mystery behind the origins and motives of this sophisticated web shell.