Rewterz Threat Update – Recent ‘HrServ.dll’ Web Shell Detected in APT Attack Targeting Afghan Government

Severity

High

Analysis Summary

An undisclosed Afghan government entity faced an advanced persistent threat (APT) attack involving a novel web shell named HrServ.dll. This dynamic-link library (DLL) showcases sophisticated features, including custom encoding for client communication and in-memory execution, according to the researcher. The Russian cybersecurity firm detected malware variants dating back to early 2021 based on compilation timestamps. Web shells, like HrServ.dll, are malicious tools granting remote control over compromised servers, enabling post-exploitation activities such as data theft, server monitoring, and lateral movement within networks.

The attack sequence utilizes the PAExec remote administration tool, an alternative to PsExec, creating a scheduled task disguised as a fake Microsoft update (“MicrosoftsUpdate”). This task executes a Windows batch script (“JKNLA.bat”). The script takes the absolute path to the DLL file (“hrserv.dll”) as an argument, executing it as a service to establish an HTTP server. This server parses incoming HTTP requests for subsequent actions, activating specific functions based on request content.

In a suspected attempt to obfuscate malicious activity within network traffic, threat actors deployed a web shell named HrServ.dll, employing HTTP GET and POST requests with a parameter called “cp” (ranging from 0 to 7) to dictate actions. The values of “cp” trigger diverse activities, including thread creation, file manipulation, data reading, and access to Outlook Web App HTML data. Specifically, a “cp” value of “6” initiates code execution by parsing encoded data, creating a new thread, and inducing a sleep state. The web shell can activate a covert “multifunctional implant” in memory, erasing forensic traces by removing the “MicrosoftsUpdate” job and initial DLL/batch files.

The threat actor’s identity remains unknown, but typos in the source code suggest a non-native English speaker. While the web shell exhibits traits consistent with financially motivated activity, its operational methodology shares similarities with Advanced Persistent Threat (APT) behavior. The researcher highlighted distinctions between the web shell and memory implant, indicating a nuanced approach, with the latter featuring a carefully crafted help message.

“Considering these factors, the malware’s characteristics are more consistent with financially motivated malicious activity. However, its operational methodology exhibits similarities with APT behavior,” they conclude.

Impact

• Gain Access
• Code Execution
• Data Manipulation

Remediation

• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Use web filtering tools to block access to known malicious domains and websites.
• Keep all software, including operating systems, browsers, and applications, up to date with the latest security patches.
• Monitor network traffic for unusual or suspicious activity.
• Implement the principle of least privilege to restrict user access to only the resources and data necessary for their roles.
• Regularly back up critical data and systems.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively. 
• Regularly back up critical data and ensure that a robust backup and recovery plan is in place.