| Category | Details |
|---|---|
| Threat Actors | Unknown threat actor; possibly a non-native English speaker; potential connection to Traditional Chinese language due to use of “en-TW” in parameters. |
| Campaign Overview | Discovery of a sophisticated web shell named hrserv.dll, exhibiting advanced features like custom encoding and in-memory execution. Variants date back to at least 2021, indicating prolonged malicious activity targeting at least one government entity in Afghanistan. |
| Target Regions (Victims) | A government entity in Afghanistan (only known victim according to telemetry data). |
| Methodology | – Initial Infection: PAExec.exe creates a scheduled task named “MicrosoftsUpdate” to execute a .BAT file. – Persistence: Copies hrserv.dll to the System32 directory, configures a service via the registry and sc utility, then activates it.– Execution: HrServ starts an HTTP server and registers a specific URL for requests. – Communication: Uses custom encoding (Base64, FNV1A64 hashing) and mimics Google services in parameters to evade detection. – Cleanup: Deletes scheduled tasks and files to erase traces. |
| TTPs | – Use of scheduled tasks for persistence. – Copying malicious DLLs to system directories. – Creating and activating services via the registry and sc utility.– Setting up HTTP servers using the HTTP Server API. – Custom encoding for client-server communication. – Mimicking legitimate services (Google parameters, Outlook Web App) to blend in with normal traffic. – In-memory execution of implants. – Using registry and temp files as communication channels. – Deleting traces post-infection. |
| Indicators of Compromise | – File Hashes: – b9b7f16ed28140c5fcfab026078f4e2e– 418657bf50ee32acc633b95bac4943c6– d0fe27865ab271963e27973e81b77bae– 890fe3f9c7009c23329f9a284ec2a61b– Registered URL: – http://+:80/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/– Scheduled Task Name: – MicrosoftsUpdate |
| Attribution | No association with known threat actors. Observations suggest: – Use of “en-TW” parameter indicates a possible link to Traditional Chinese language. – Multiple typos in English strings suggest the actor is not a native English speaker. |
| Recommendations | Not provided in the text. |
Read full article: https://securelist.com/hrserv-apt-web-shell/111119/
Disclaimer: The above summary has been generated by an AI language model.
Related posts:
Advanced Persistent Threat Targeting Vietnamese Human Rights Defenders | Huntress
Iran-linked group aims malware at aerospace industry through fake job recruiters
China-linked hackers tasked with Japanese targets pursue them through Europe
China-linked group hacked Tibetan media and university sites to distribute Cobalt Strike paylad
Leave a Reply