The latest analysis released by Kaspersky security researcher Mert Degirmenci shows that the Web Shell is a dynamic link library (DLL) named "hrserv.dll" with complex functions, such as custom encoding methods for client communication and memory execution. .
According to Kaspersky this Russiancyber securityThe company's investigation, based on the artifacts' compilation timestamps, uncovered malware variants dating back to early 2021.
A web shell is typically a malicious tool used to remotely control a compromised server. Once uploaded, the attacker can perform a range of post-exploitation activities, including data theft, server monitoring, and lateral advancement within the intranet.
The attack chain involves the PAExec remote management tool, which is a replacement for PsExec, used to create a scheduled task disguised as Microsoft Update ("MicrosoftsUpdate"), and then configured to execute a Windows batch script named "JKNLA.bat".
The batch script accepts the absolute path to a DLL file ("hrserv.dll") as a parameter and then executes it as a service, starting an HTTP server capable of parsing incoming HTTP requests for subsequent operations.
Degirmenci said that depending on the type and information of the HTTP request, specific features will be activated. He added that the GET parameters used in the "hrserv.dll" file are used to imitate Google services, including 'hl'.
This is most likely an attempt by the attacker to mix these malicious requests with normal network traffic, making it more difficult to distinguish malicious activity from normal events.
A parameter named "cp" is embedded in these HTTP GET and POST requests, and its value ranges from 0 to 7, which determines the next operation. These include creating new threads, creating files with arbitrary data, reading files, and accessing HTML data from Outlook Web App.
If the value of "cp" in the POST request is equal to "6", code execution is triggered, the encoded data is parsed and copied to memory, a new thread is created, and it goes to sleep.
In addition, the web shell was able to activate a covert "multi-function implant" in memory that was responsible for erasing forensic traces by deleting the "MicrosoftsUpdate" task and the original DLL and batch files.
It's unclear who the threat actors behind it are, but there are multiple spelling errors in the source code that suggest the malware's author is a non-native English speaker.
Degirmenci concluded, "It is worth noting that the web shell and the memory implant use different strings under certain conditions. In addition, the memory implant also has carefully crafted help information."
“Taking these factors into consideration, the malware’s characteristics are more consistent with financially motivated malicious activity. However, its methods of operation are consistent with APT There are similarities in behavior. "
Original article, author: Chief Security Officer, if reprinted, please indicate the source: https://cncso.com/en/ew-hrservdll-web-shell-detected-in-apt.html
