In a recent cyberattack on an undisclosed government entity in Afghanistan, a previously unknown web shell called HrServ proved to be a powerful weapon in the hands of the attackers. This web shell, a dynamic-link library (DLL) named “hrserv.dll,” displayed advanced features, including custom encoding methods and in-memory execution. Let’s delve into the details of this malicious tool and explore its role in the attack.
Description of the HrServ Web Shell
Web shells are notorious for providing adversaries with remote control over compromised servers. HrServ, the focal point of this attack, showcased remarkable sophistication through its custom encoding methods for client communication and execution in memory. Its nature as a DLL allowed it to evade detection more effectively, enabling the attackers to maintain control over the compromised servers undetected.
The Role and Functionality of Web Shells
Web shells are dangerous tools that enable attackers to gain unauthorized access and control over compromised servers. Once a web shell is deployed, it allows the attacker to execute commands, upload and download files, manipulate data, and exploit the compromised system in various ways. In the case of HrServ, it provided the attackers with a robust platform for launching an advanced persistent threat.
Unraveling the Attack Chain
The attack chain employed in this APT attack involved the utilization of the PAExec remote administration tool. Acting as an alternative to PsExec, PAExec served as a launchpad to create a scheduled task. This task was designed to disguise itself as a seemingly innocuous Microsoft update, tricking victims into unknowingly running it on their systems.
Execution process of HrServ Web Shell
To initiate the HrServ web shell, a batch script was employed. The script used the path to the DLL file, “hrserv.dll,” as an argument to execute it as a service, thereby establishing an HTTP server. This server acted as a communication channel between the attackers and the compromised server, allowing them to issue commands and control the infiltrated system remotely.
Activation of Specific Functions
By interpreting the type and information within an HTTP request, specific functions within the HrServ web shell can be activated. One notable characteristic of this attack is the utilization of GET parameters that mimic Google services, with ‘hl’ being a prominent example. These GET parameters facilitate the manipulation of the web shell’s behavior, contributing to the attacker’s control over the compromised system.
Understanding the Parameter ‘cp’
Embedded within the HTTP GET and POST requests is a crucial parameter known as ‘cp.’ The value assigned to this parameter, ranging from 0 to 7, determines the subsequent course of action undertaken by the web shell. It acts as a control mechanism, guiding the attackers through their malicious activities, whether it be data exfiltration, lateral movement, or persistence establishment.
Expanding the Web Shell’s Capabilities
In addition to its remote control functionalities, HrServ possesses an alarming capability: it can activate the execution of a stealthy “multifunctional implant” in memory. This implant plays a pivotal role in erasing the forensic trail, making it extremely challenging for investigators to trace the attackers’ activities. This further emphasizes the advanced nature of the attack and the cunning strategies employed.
Analyzing the Malware Author
Observations and analysis of the HrServ web shell reveal an interesting aspect about its creator – the presence of several typos in the source code. These grammatical errors suggest that the malware author is not a native English speaker. This linguistic insight can aid investigators in profiling potential threat actors and narrowing down attribution possibilities.
The emergence of HrServ as a previously undocumented web shell highlights the ever-evolving nature of cyber threats and the continuous need for robust cybersecurity measures. The attack on the Afghan government entity serves as a reminder that adversaries are constantly developing sophisticated tools capable of evading detection and wreaking havoc. Timely detection, proactive defense strategies, and international collaboration are vital in combating these advanced persistent threats and safeguarding against potential breaches.