Cybersecurity researchers at Securelist have uncovered a new web shell, named “hrserv.dll,” which is being used by hackers for unauthorized server administration and control. This web shell enables attackers to gain unauthorized access to a server or website, facilitating activities like data theft and launching further attacks.
The hbserv.dll web shell is notable for its advanced features, including custom encoding and in-memory execution. This discovery also led to the identification of similar variants dating back to 2021, indicating a potential link to ongoing malicious activities.
One of the key functionalities of the HrServ web shell involves creating a ‘MicrosoftsUpdate’ scheduled task through PAExec.exe. This task triggers a .BAT file that copies hbserv.dll to the System32 directory, configures a registry service using ‘sc’ command, and activates the newly created service. Once operational, HrServ starts an HTTP server using custom encoding methods like Base64 and FNV1A64. It responds to specific ‘cp’ GET parameters in HTTP requests and leverages the NID cookie for operations.
The web shell’s naming patterns are designed to mimic Google’s, likely to camouflage its malicious activities within network traffic and evade detection. For instance, a ‘cp’ value of 6 triggers code execution, while an unknown ‘cp’ value activates a versatile implant in system memory.
Researchers found that after executing its tasks, HrServ erases its traces by deleting the ‘MicrosoftsUpdate’ job and initial files. Despite similarities in encoding, subtle differences in behavior were observed among the variants.
Interestingly, the tactics, techniques, and procedures (TTPs) used by this web shell could not be attributed to any known threat actors. However, a government entity in Afghanistan has been identified as a victim. Since 2021, the WebShell has been executing in-memory operations via registry tweaks and communicates using distinct strings from the memory implant. Despite exhibiting advanced persistent threat (APT)-like behavior, financially motivated traits seem to dominate in this case.
Source: Cyber Security News
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.