FROM THE CROW'S NEST: "Web Shell on the Horizon: Unveiling the Mysterious HrServ in Cyber Waters"
"Web Shell on the Horizon: Unveiling the Mysterious HrServ in Cyber Waters" π΄☠️πΎ⚓
Ahoy there, me hearties! From the crow's nest, I've spied a new form of digital treachery in the vast cyber seas – a web shell by the name of HrServ. This be a previously unknown web shell, as cunning and elusive as a siren in the fog. Let me regale ye with its tale.
Sneaky Origins: This web shell, identified as hrserv.dll, be a cunning piece of work, not seen before in our waters. It boasts advanced trickery like custom encoding methods for communication and in-memory execution, like a phantom ship in the night. It was first spotted in a DLL file, and similar variants were traced back to 2021, hinting at a shadowy presence lurking for some time.
Devious Tactics: HrServ uses a scheduled task named "MicrosoftsUpdate" (a clever ruse, aye) to execute a .BAT file, which then wields the hrserv.dll file. This file is then copied to the System32 directory, configuring a service through the system registry and sc utility, then activating the service like a saboteur on board.
Technical Details: The web shell operates with the craftiness of a skilled pirate, registering a service handler and initiating an HTTP server using the HTTP server API. It employs a custom encoding blend of Base64 encoding and FNV1A64 hashing algorithms. This devilish tool activates specific functions based on the type and information in an HTTP request, using the GET parameter named cp and the value of the NID cookie, like a coded message between conspiring pirates.
Complex Operations: The HrServ web shell can execute various operations based on the GET and POST requests. For instance, it can create files, read files, return Outlook Web App HTML data, and even execute code by extracting the value of the NID cookie and writing it to a specified registry path. It's as multifaceted as a treasure map with multiple paths leading to different outcomes.
Covering Tracks: After establishing a foothold, HrServ seeks to erase traces of its presence by deleting the "MicrosoftsUpdate" job and the initial files, much like a pirate ship disappearing into the mist after a raid.
Variants and Evolution: Earlier variants of HrServ, dating back to early 2021, have been discovered. These differ slightly in their actions, such as creating processes and retrieving outputs through pipes, a testament to its evolving cunning over time.
Specific Targets: The only known victim of this nefarious web shell is a government entity in Afghanistan, hinting at its selective and targeted nature.
Mysterious Origins and Intent: The creators of HrServ appear to be non-native English speakers, as suggested by typos in the help strings. The malware’s characteristics lean towards financially motivated activities, yet its methodology exhibits similarities with APT behavior, making it a hybrid threat of sorts.
In conclusion, HrServ is a sophisticated and shadowy web shell, the likes of which we haven't seen before. It's a reminder that the cyber seas be ever-changing, and vigilance is key. Keep a weather eye on the horizon, for such threats may emerge when least expected! π΄☠️π»
Comments
Post a Comment