Introduction
In the course of our routine investigation, we discovered a DLL file, identified as hrserv.dll, which is a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution. Our analysis of the sample led to the discovery of related variants compiled in 2021, indicating a potential correlation between these separate occurrences of malicious activity.
Initial infection
According to our telemetry data, the PAExec.exe process initiates the creation of a scheduled task on the system named MicrosoftsUpdate (sic), which in turn is designed to execute a .BAT file.
"schtasks" /create /sc DAILY /tn MicrosoftsUpdate /tr "$system32cmd.exe /c$publicJKNLA.bat $publichrserv.dll" /ru system /f
The .BAT file accepts the path of a DLL file as an argument. In this instance, the script is provided with the file $publichrserv.dll, which is then copied to the System32 directory. After this operation, the script configures a service via the system registry and the sc utility. It then activates the newly created service.
HrServ web shell
MD5
418657bf50ee32acc633b95bac4943c6
SHA1
cb257e00a1082fc79debf9d1cb469bd250d8e026
SHA256
8043e6c6b5e9e316950ddb7060883de119e54f226ab7a320b743be99b9c10ec5
Link time
2023-Aug-30 08:28:15
File type
PE32+ executable (DLL) (console) x86-64, for MS Windows
Compiler
Microsoft Visual C/C++(2015 v.14.0)
The sequence of operations starts with the registration of a service handler. HrServ then initiates an HTTP server utilizing the HTTP server API for its functionality. It calls the HttpAddUrlToGroup function to register the following URL so that matching requests are routed to the request queue.
http://+:80/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/< ..Support the originator by clicking the read the rest link below.
