A HrServ web shell is a malicious script or program that enables remote server administration, allowing unauthorized access and control.
Hackers target web shells to gain unauthorized access to a server or website, allowing them to execute commands, upload/download files, and manipulate the system for malicious purposes like:-
- Data theft
- Launch further attacks
Cybersecurity researchers at Securelist recently discovered a new web shell dubbed “hrserv.dll,” with advanced features like:-
- Custom encoding
- In-memory execution
Not only that, but even during the analysis, security analysts also identified similar related variants from 2021, suggesting a potential connection to malicious activity.
In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway
HrServ Web Shell
PAExec.exe creates a ‘MicrosoftsUpdate’ scheduled task, triggering a .BAT file. The script copies $publichrserv.dll to System32, configures a registry service using ‘sc,’ and activates the newly created service.
HrServ starts by registering a service handler, then launches an HTTP server using custom encoding:-
Specific functions are activated based on the ‘cp’ GET parameter in HTTP requests, and the DLL also leverages the NID cookie.
The naming patterns mimic Google’s, likely to hide malicious activity in network traffic, posing detection challenges.
A cp value of 6 triggers code execution, and in one scenario with an unknown cp value, a versatile implant activates in system memory.
It creates a file in “%temp%” and does the following things:-
- Retrieves registry info
- Takes actions based on it
- Records output in the file
Researchers found HrServ variants in 2021 using custom encoding. After implanting in system memory, they erase traces by deleting “MicrosoftsUpdate” job and initial files. Subtle differences exist in behavior despite similar encoding.
Besides this, security analysts could not attribute the TTPs to any known threat actors. Moreover, as per the current report, a government entity in Afghanistan has been identified as a victim.
Since 2021, WebShell shell has done in-memory executions via registry tweaks, and it communicates using distinct strings from memory implant. Despite APT-like behavior, financially motivated traits dominate in this case.
IOCs
File hashes:
b9b7f16ed28140c5fcfab026078f4e2e
418657bf50ee32acc633b95bac4943c6
d0fe27865ab271963e27973e81b77bae
890fe3f9c7009c23329f9a284ec2a61b
Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.