| Category | Details |
|---|---|
| Threat Actors | Unknown threat actor; possibly a non-native English speaker; potential connection to Traditional Chinese language due to use of “en-TW” in parameters. |
| Campaign Overview | Discovery of a sophisticated web shell named hrserv.dll, exhibiting advanced features like custom encoding and in-memory execution. Variants date back to at least 2021, indicating prolonged malicious activity targeting at least one government entity in Afghanistan. |
| Target Regions (Victims) | A government entity in Afghanistan (only known victim according to telemetry data). |
| Methodology | - Initial Infection: PAExec.exe creates a scheduled task named “MicrosoftsUpdate” to execute a .BAT file. - Persistence: Copies hrserv.dll to the System32 directory, configures a service via the registry and sc utility, then activates it.- Execution: HrServ starts an HTTP server and registers a specific URL for requests. - Communication: Uses custom encoding (Base64, FNV1A64 hashing) and mimics Google services in parameters to evade detection. - Cleanup: Deletes scheduled tasks and files to erase traces. |
| TTPs | - Use of scheduled tasks for persistence. - Copying malicious DLLs to system directories. - Creating and activating services via the registry and sc utility.- Setting up HTTP servers using the HTTP Server API. - Custom encoding for client-server communication. - Mimicking legitimate services (Google parameters, Outlook Web App) to blend in with normal traffic. - In-memory execution of implants. - Using registry and temp files as communication channels. - Deleting traces post-infection. |
| Indicators of Compromise | - File Hashes: - b9b7f16ed28140c5fcfab026078f4e2e- 418657bf50ee32acc633b95bac4943c6- d0fe27865ab271963e27973e81b77bae- 890fe3f9c7009c23329f9a284ec2a61b- Registered URL: - http://+:80/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/- Scheduled Task Name: - MicrosoftsUpdate |
| Attribution | No association with known threat actors. Observations suggest: - Use of “en-TW” parameter indicates a possible link to Traditional Chinese language. - Multiple typos in English strings suggest the actor is not a native English speaker. |
| Recommendations | Not provided in the text. |
Read full article: https://securelist.com/hrserv-apt-web-shell/111119/
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply