An unspecified government entity in Afghanistan was targeted by a previously undocumented web shell called HrServ in what's suspected to be an advanced persistent threat (APT) attack.
The web shell, a dynamic-link library (DLL) named "hrserv.dll," exhibits "sophisticated features such as custom encoding methods for client communication and in-memory execution," Kaspersky security researcher Mert Degirmenci said in an analysis published this week.
The Russian cybersecurity firm said it identified variants of the malware dating all the way back to early 2021 based on the compilation timestamps of these artifacts.
Web shells are typically malicious tools that provide remote control over a compromised server. Once uploaded, it allows threat actors to carry out a range of post-exploitation activities, including data theft, server monitoring, and lateral advancement within the network.
The attack chain involves the PAExec remote administration tool, an alternative to PsExec that's used as a launchpad to create a scheduled task that masquerades as a Microsoft update ("MicrosoftsUpdate"), which subsequently is configured to execute a Windows batch script ("JKNLA.bat").
The batch script accepts as an argument the absolute path to a DLL file ("hrserv.dll") that's then executed as a service to initiate an HTTP server that's capable of parsing incoming HTTP requests for follow-on actions.
"Based on the type and information within an HTTP request, specific functions are activated," Degirmenci said, adding "the GET parameters used in the hrserv.dll file, which is used to mimic Google services, include 'hl.'"
This is likely an attempt by the threat actor to blend these rogue requests in network traffic and make it a lot more challenging to distinguish malicious activity from benign events.
Embedded within those HTTP GET and POST requests is a parameter called cp, whose value – ranging from 0 to 7 – determines the next course of action. This includes spawning new threads, creating files with arbitrary data written to them, reading files, and accessing Outlook Web App HTML data.
If the value of cp in the POST request equals "6," it triggers code execution by parsing the encoded data and copying it into the memory, following which a new thread is created and the process enters a sleep state.
The web shell is also capable of activating the execution of a stealthy "multifunctional implant" in memory that's responsible for erasing the forensic trail by deleting the "MicrosoftsUpdate" job as well as the initial DLL and batch files.
The threat actor behind the web shell is currently not known, but the presence of several typos in the source code indicates that the malware author is not a native English speaker.
"Notably, the web shell and memory implant use different strings for specific conditions," Degirmenci concluded. "In addition, the memory implant features a meticulously crafted help message."
"Considering these factors, the malware's characteristics are more consistent with financially motivated malicious activity. However, its operational methodology exhibits similarities with APT behavior."