The HrServ web shell is a newly identified malicious tool that has been used in an Advanced Persistent Threat (APT) attack, primarily targeting the Afghan government. Discovered as a dynamic-link library (DLL) file named "hrserv.dll", HrServ exhibits sophisticated features, including custom encoding methods for client communication and the ability to execute code directly in memory.
Kaspersky researchers have analyzed HrServ and found that it possesses both APT and crimeware features. This web shell has likely been active since 2021 and represents a significant cybersecurity threat. It enables remote server administration, allowing attackers to gain unauthorized access and control over the affected systems. One of the key capabilities of HrServ is its ability to erase tracks, which makes detecting and tracing the activities of the attackers more challenging.
APT groups have been using HrServ to hack into Windows systems, exploiting its advanced features to carry out their malicious activities. The use of such sophisticated tools in APT attacks highlights the evolving nature of cybersecurity threats and the need for continuous vigilance and updated security measures
IoC
SHA256
- f38517692ab3e817182a396a407d9fe1c260c89bb6b733764737562f235115f0
- 8043e6c6b5e9e316950ddb7060883de119e54f226ab7a320b743be99b9c10ec5
- cb257e00a1082fc79debf9d1cb469bd250d8e026
- a5796a2cc31e1ab1a8a12131f803affe735a835f
MD5
- b9b7f16ed28140c5fcfab026078f4e2e
- 890fe3f9c7009c23329f9a284ec2a61b
- d0fe27865ab271963e27973e81b77bae
- 418657bf50ee32acc633b95bac4943c6
REFERENCES
- https://thehackernews.com/2023/11/new-hrservdll-web-shell-detected-in-apt.html#:~:text=A%20new%20web%20shell%20called,and%20execute%20code%20in%20memory
- https://securelist.com/hrserv-apt-web-shell/111119/#:~:text=In%20this%20report%20Kaspersky%20researchers,likely%20been%20active%20since%202021
- https://otx.alienvault.com/pulse/655e28718ae876cc76a77b6c
TAGS
apt, hrserv, webshell
No comments:
Post a Comment