New HrServ.dll Web Shell Detected in APT Attack Targeting Afghan Government

In recent cybersecurity news, a previously unknown web shell has been detected in an advanced persistent threat (APT) attack targeting an unnamed government entity in Afghanistan. The web shell, named HrServ.dll, exhibits sophisticated features, including custom encoding methods for client communication and in-memory execution. The discovery was made by Kaspersky security researcher Mert Degirmenci and detailed in an analysis published this week.

Web shells are malicious tools that offer remote control over a compromised server, enabling threat actors to conduct post-exploitation activities such as data theft, server monitoring, and lateral movement within the network.

The attack chain involved in this case uses the PAExec remote administration tool as a launchpad to create a scheduled task disguised as a Microsoft update, which then executes a Windows batch script. This script accepts an absolute path to a DLL file, which initiates an HTTP server capable of parsing incoming HTTP requests for follow-on actions.

The web shell mimics Google services, using GET parameters in the hrserv.dll file to blend rogue requests into network traffic, making it challenging to distinguish malicious activity from benign events. The shell can activate the execution of a stealthy multifunctional implant in memory, responsible for erasing the forensic trail.

The threat actor behind the web shell is currently unknown, but several typos in the source code suggest that the malware author is not a native English speaker. Although the malware's characteristics are more consistent with financially motivated malicious activity, its operational methodology exhibits similarities with APT behavior.

For more detailed information, you can read the original article on The Hacker News here.

Know more. Investigate better.