Introduction 介绍
In the course of our routine investigation, we discovered a DLL file, identified as hrserv.dll, which is a previously unknown web shell exhibiting sophisticated features such as custom encoding methods for client communication and in-memory execution. Our analysis of the sample led to the discovery of related variants compiled in 2021, indicating a potential correlation between these separate occurrences of malicious activity.
在我们的例行调查过程中,我们发现了一个DLL文件,标识为hrserv.dll,这是一个以前未知的Web shell,具有复杂的功能,例如用于客户端通信和内存中执行的自定义编码方法。我们对样本的分析导致发现了 2021 年编制的相关变体,表明这些单独发生的恶意活动之间存在潜在相关性。
Initial infection 初次感染
According to our telemetry data, the PAExec.exe process initiates the creation of a scheduled task on the system named MicrosoftsUpdate (sic), which in turn is designed to execute a .BAT file.
根据我们的遥测数据,PAExec.exe 进程在名为 MicrosoftsUpdate (sic) 的系统上启动计划任务的创建,该任务又旨在执行 .BAT 文件。
|
1
2
|
“schtasks” /create /sc DAILY /tn MicrosoftsUpdate /tr “$system32\cmd.exe /c
$public\JKNLA.bat $public\hrserv.dll” /ru system /f
|
The .BAT file accepts the path of a DLL file as an argument. In this instance, the script is provided with the file $public\hrserv.dll, which is then copied to the System32 directory. After this operation, the script configures a service via the system registry and the sc utility. It then activates the newly created service.
.BAT 文件接受 DLL 文件的路径作为参数。在此实例中,脚本随文件一起提供 $public\hrserv.dll,然后将其复制到 System32 目录。执行此操作后,脚本将通过系统注册表和 sc 实用程序配置服务。然后,它会激活新创建的服务。
HrServ web shell HrServ Web 外壳
| MD5 | 418657bf50ee32acc633b95bac4943c6 |
| SHA1 SHA1的 | cb257e00a1082fc79debf9d1cb469bd250d8e026 |
| SHA256 SHA256的 | 8043e6c6b5e9e316950ddb7060883de119e54f226ab7a320b743be99b9c10ec5 |
| Link time 链接时间 | 2023-Aug-30 08:28:15 2023-八月-30 08:28:15 |
| File type 文件类型 | PE32+ executable (DLL) (console) x86-64, for MS Windows PE32+ 可执行文件 (DLL) (控制台) x86-64,适用于 MS Windows |
| Compiler 编译器 | Microsoft Visual C/C++(2015 v.14.0) Microsoft Visual C/C++(2015 v.14.0) |
The sequence of operations starts with the registration of a service handler. HrServ then initiates an HTTP server utilizing the HTTP server API for its functionality. It calls the HttpAddUrlToGroup function to register the following URL so that matching requests are routed to the request queue.
操作序列从服务处理程序的注册开始。然后,HrServ 利用 HTTP 服务器 API 启动 HTTP 服务器来实现其功能。它调用 HttpAddUrlToGroup 函数来注册以下 URL,以便将匹配的请求路由到请求队列。
|
1
|
http://+:80/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/
|
Client-server communication uses custom encoding techniques that include Base64 encoding and FNV1A64 hashing algorithms.
客户端-服务器通信使用自定义编码技术,包括 Base64 编码和FNV1A64哈希算法。
Based on the type and information within an HTTP request, specific functions are activated. These functions are distinguished by the GET parameter named cp. In addition, the DLL file utilizes the value of the NID cookie for various purposes. The use of the GET parameter pattern and the cookie value is consistent with practices employed by Google. We suspect that this intentional similarity in naming conventions is intended to disguise these requests in network traffic, making it more challenging to detect such malicious activity.
根据 HTTP 请求中的类型和信息,激活特定功能。这些函数由名为 cp 的 GET 参数来区分。此外,DLL文件将NID cookie的值用于各种目的。GET 参数模式和 Cookie 值的使用与 Google 采用的做法一致。我们怀疑,命名约定中的这种故意相似性旨在在网络流量中伪装这些请求,从而使检测此类恶意活动更具挑战性。
An example of such a request would be:
此类请求的示例如下:
|
1
|
&cp=1&client=desktop–gws–wiz–on–focus–serp&xssi=t&hl=en–TW&authuser=0&pq=
|
| Request type 请求类型 | cp value CP值 | Description 描述 |
| GET | 0 | Call VirtualAlloc and copy a custom decoded NID cookie value, then create a new thread. 调用 VirtualAlloc 并复制自定义解码的 NID cookie 值,然后创建新线程。 |
| POST 发布 | 1 | Create a file using the custom decoded NID cookie value and write the custom decoded POST data to that file. 使用自定义解码的 NID cookie 值创建一个文件,并将自定义解码的 POST 数据写入该文件。 |
| GET | 2 | Read a file using the custom decoded NID cookie value and return it as a response by appending it to the end of the “data:image/png;base64” string; 使用自定义解码的 NID cookie 值读取文件,并将其附加到“data:image/png;base64“ 字符串; If an error occurs while reading the file, HrServ responds with the string: 如果在读取文件时发生错误,HrServ 会使用字符串进行响应: data:image/png;base64,c3Dlc+DheRzlKBV2Yh92KS//; 数据:image/png;base64,c3Dlc+DheRzlKBV2Yh92KS//; |
| GET | 4 | Return Outlook Web App HTML data. 返回 Outlook Web App HTML 数据。 |
| POST 发布 | 6 | Call VirtualAlloc and copy the custom decoded POST data, then create a new thread. 调用 VirtualAlloc 并复制自定义解码的 POST 数据,然后创建一个新线程。 |
| GET | 7 | Return Outlook Web App HTML data [Duplicate]. 返回 Outlook Web App HTML 数据 [重复]。 |
Code execution 代码执行
If the cp value in the request is 6, this indicates a code execution process.
如果请求中的 cp 值为 6,则表示代码执行过程。
- Initially, it extracts the value of the NID cookie and applies its custom decoding technique
最初,它提取 NID cookie 的值并应用其自定义解码技术 - It writes this decoded value to the specified registry path, denoted as “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\RemoteFile”
它将此解码值写入指定的注册表路径,表示为“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\RemoteFile” - The custom-decoded POST data is then copied to the memory, after which a new thread is created and the process enters a sleep state.
然后,将自定义解码的 POST 数据复制到内存中,然后创建一个新线程,进程进入休眠状态。
In a particular observed scenario, the cp value is unknown. A multifunctional implant is activated in the system memory. The implant creates a file in the directory “%temp%”, retrieves information from the registry, performs some actions based on this information, and records the output of these actions in the created file. As a result, the registry and the temporary file are used as a communication channel between the implant and HrServ.
在特定观察到的场景中,cp 值是未知的。在系统内存中激活一个多功能植入物。植入程序在目录“%temp%”中创建一个文件,从注册表中检索信息,根据此信息执行一些操作,并将这些操作的输出记录在创建的文件中。因此,注册表和临时文件被用作植入物和 HrServ 之间的通信通道。
Available commands of the memory implant
内存植入的可用命令
Based on our telemetry data, after successfully establishing a foothold and placing the memory implant in the system memory, the next actions are to erase the previously existing traces by deleting the scheduled “MicrosoftsUpdate” job and both the initial DLL and batch files:
根据遥测数据,在成功建立立足点并将内存植入物置于系统内存中后,接下来的操作是通过删除计划的“MicrosoftsUpdate”作业以及初始 DLL 和批处理文件来擦除以前存在的跟踪:
|
1
2
|
schtasks /delete /tn MicrosoftsUpdate /f
cmd /c “del /f/s/q $public\hrserv.dll & del /f/s/q $public\JKNLA.bat”
|
Older variants 较旧的变体
We have also discovered earlier, differently named variants of HrServ. These DLL files date back to early 2021. They also use the custom encoding algorithm and behave the same way after a file read error. However, there are subtle differences.
我们还发现了 HrServ 的早期不同名称的变体。这些DLL文件可以追溯到2021年初。它们还使用自定义编码算法,并在文件读取错误后以相同的方式运行。但是,存在细微的差异。
- The web shell URL of these older variants differs from the current one:
这些旧变体的 Web Shell URL 与当前变体不同:
1https://+:443/owa/MSExchangeService.svc - These samples exhibit a distinct behavior by creating a process and retrieving its output through a pipe, as opposed to allocating a memory section and creating a thread from it.
这些示例通过创建进程并通过管道检索其输出来表现出独特的行为,而不是分配内存部分并从中创建线程。
Victims 受害者
The only known victim according to our telemetry is a government entity in Afghanistan.
根据我们的遥测数据,唯一已知的受害者是阿富汗的一个政府实体。
Attribution 归 因
The TTPs analyzed in this investigation are not associated with any known threat actors we are tracking, but there are a few things that we observed:
本次调查中分析的 TTP 与我们正在跟踪的任何已知威胁参与者无关,但我们观察到以下几点:
- the GET parameters used in the hrserv.dll file, which is used to mimic Google services, include “hl”. This specifies the host language of the user interface. Although this parameter has no functionality within the attack vector, the assigned value “en-TW” specifies that the Google search interface should be displayed in English, but the search results should be displayed in Traditional Chinese:
hrserv.dll 文件中使用的 GET 参数(用于模拟 Google 服务)包括“hl”。这指定了用户界面的宿主语言。尽管此参数在攻击媒介中不起作用,但赋值“en-TW”指定 Google 搜索界面应以英文显示,但搜索结果应以繁体中文显示:
1&cp=1&client=desktop–gws–wiz–on–focus–serp&xssi=t&hl=en–TW&authuser=0&pq= - the samples include help strings for specific conditions, in English. We saw multiple typos that suggest the actor behind the samples is not a native English speaker.
这些示例包括针对特定条件的英文帮助字符串。我们看到多个错别字,表明样本背后的演员不是以英语为母语的人。
An error message with a typo
带有拼写错误的错误消息
Conclusion 结论
The analyzed sample represents a capable web shell. Based on the compile timestamps, its origins date back to at least 2021. This sophisticated malware variant exhibits the ability to initiate in-memory executions. In the observed scenario, communication is established through registry manipulations and temporary files.
分析的示例表示一个功能强大的 Web Shell。根据编译时间戳,其起源至少可以追溯到 2021 年。这种复杂的恶意软件变种表现出启动内存中执行的能力。在观察到的场景中,通信是通过注册表操作和临时文件建立的。
Notably, the web shell and memory implant use different strings for specific conditions. In addition, the memory implant features a meticulously crafted help message. Considering these factors, the malware’s characteristics are more consistent with financially motivated malicious activity. However, its operational methodology exhibits similarities with APT behavior. Despite the malware’s prolonged activity over several years, multiple instances involving these samples have not been documented. Our efforts are ongoing as we continue to monitor related activity, with the goal of unraveling the mystery in future investigations.
值得注意的是,Web Shell 和内存植入针对特定条件使用不同的字符串。此外,记忆植入物还具有精心制作的帮助信息。考虑到这些因素,恶意软件的特征更符合出于经济动机的恶意活动。然而,其操作方法与 APT 行为表现出相似性。尽管该恶意软件已经持续了数年,但尚未记录涉及这些样本的多个实例。我们的努力正在进行中,我们将继续监测相关活动,目标是在未来的调查中解开这个谜团。
Indicators of compromise
入侵指标
File hashes 文件哈希
b9b7f16ed28140c5fcfab026078f4e2e
418657bf50ee32acc633b95bac4943c6
d0fe27865ab271963e27973e81b77bae
890fe3f9c7009c23329f9a284ec2a61b
原文始发于MERT DEGIRMENCI:HrServ – Previously unknown web shell used in APT attack
转载请注明:HrServ – Previously unknown web shell used in APT attack | CTF导航
相关文章
