During a recent Kaspersky Lab investigation, researchers discovered a DLL file identified as "hrserv.dll", which is a previously unknown web shell with advanced features, such as special coding methods for communicating with the client and performing operations in memory.
Analysis of this sample led to the discovery of related variants compiled back in 2021, indicating a potential link between these individual cases of malicious activity.
HrServ starts its work by creating a task in the Windows Scheduler under the guise of a regular system update. It uses a special script that downloads and activates a malicious file on an infected computer. After that, HrServ configures itself to run and manage via a remote server.
This web shell cleverly masks its activity, simulating normal Internet traffic. To do this, it uses sophisticated techniques, including Base64 encoding and FNV1A64 hashing algorithms.
It is reported that the HrServ web shell is able to replace information in Internet requests in such a way that they look like regular requests to Google.
Once activated, the malware can perform various actions on the infected device, including reading and writing files, as well as executing arbitrary commands. This allows attackers to steal data, monitor the user's activity, and even take full control of their computer.
At the moment, it is known that the malware was used only to attack a government agency in Afghanistan. However, given its complexity and ability to disguise itself, HrServ can pose a threat to a wide range of organizations and individuals anywhere in the world.
Kaspersky Lab's investigation highlights the need for vigilance and the use of advanced security techniques to protect yourself from such threats. The team will continue to investigate this web shell and monitor its associated activity to help prevent future attacks.
Analysis of this sample led to the discovery of related variants compiled back in 2021, indicating a potential link between these individual cases of malicious activity.
HrServ starts its work by creating a task in the Windows Scheduler under the guise of a regular system update. It uses a special script that downloads and activates a malicious file on an infected computer. After that, HrServ configures itself to run and manage via a remote server.
This web shell cleverly masks its activity, simulating normal Internet traffic. To do this, it uses sophisticated techniques, including Base64 encoding and FNV1A64 hashing algorithms.
It is reported that the HrServ web shell is able to replace information in Internet requests in such a way that they look like regular requests to Google.
Once activated, the malware can perform various actions on the infected device, including reading and writing files, as well as executing arbitrary commands. This allows attackers to steal data, monitor the user's activity, and even take full control of their computer.
At the moment, it is known that the malware was used only to attack a government agency in Afghanistan. However, given its complexity and ability to disguise itself, HrServ can pose a threat to a wide range of organizations and individuals anywhere in the world.
Kaspersky Lab's investigation highlights the need for vigilance and the use of advanced security techniques to protect yourself from such threats. The team will continue to investigate this web shell and monitor its associated activity to help prevent future attacks.
