In a significant cybersecurity incident, an unidentified government entity in Afghanistan has fallen victim to a previously unreported web shell identified as HrServ, suggesting links to an advanced persistent threat (APT) attack. The exploit involves a dynamic-link library (DLL) file named "hrserv.dll," which boasts advanced functionalities, including custom encoding for client communications and execution in memory, as detailed in an analysis by Kaspersky researcher Mert Degirmenci.
Kaspersky reports that they traced the malware’s origins back to early 2021, examining compilation timestamps. Web shells, including HrServ, are notorious malicious tools designed for remote control over compromised servers. Once these malicious components are uploaded, cyber adversaries gain the ability to execute various post-exploitation tasks, such as data extraction and network navigation.
The operation utilizes a remote administration tool named PAExec, which serves a similar purpose as the well-known PsExec. This tool is exploited to create a scheduled task disguised as a Microsoft update, dubbed “MicrosoftsUpdate.” Upon execution, this task triggers a Windows batch script named "JKNLA.bat," which accepts the complete path to the "hrserv.dll" file. This DLL is activated as a service, launching an HTTP server that can interpret incoming HTTP requests for further actions.
According to Degirmenci, the web shell has been engineered to blend with legitimate network traffic, complicating the identification of malicious activity amidst benign operations. The transmitted GET requests include a parameter labeled cp, with values ranging from 0 to 7 that dictate subsequent actions, including thread generation, file management, and interaction with Outlook Web App data. Notably, if the cp parameter in a POST request evaluates to "6," it triggers code execution, facilitating the parsing of encoded data into memory.
In addition to its initial functions, the web shell can activate an inconspicuous "multifunctional implant," which further obscures its activities by eliminating forensic footprints, such as removing the "MicrosoftsUpdate" job and the initial DLL and batch files. The identity of the threat actor remains unknown; however, significant language inconsistencies found in the source code suggest that the individual or group behind the malware may not speak English as a first language.
Degirmenci notes that while the operational characteristics of the malware might suggest financial motivations, the methodology exhibits APT-like behaviors. The combination of sophisticated tactics applied in this incident aligns with several techniques outlined in the MITRE ATT&CK framework, such as initial access through remote services, persistence via web shells, and command and control through HTTP communications.
This incident serves as a stark reminder that government entities and organizations operating within sensitive domains remain prime targets for sophisticated cyber threats. As businesses continue to confront the evolving landscape of cybersecurity risks, vigilance and advanced protective measures are critical in thwarting potential breaches and maintaining operational integrity.
