During the recent investigation of the Kaspersky laboratory DLL-file, a previously unknown web-shell named “herserv.dll” was discovered. This web-shell is equipped with advanced features, including special coding methods for communication with the client and performing memory operations [source].
An analysis of this sample revealed related configurations that were compiled as far back as 2021. This suggests a potential link between these separate instances of malicious activity.
Hrserv initiates its operations by creating a task in the Windows scheduler, disguising itself as a regular system update. It utilizes a special script to upload and activate the malicious file on an infected computer. Once activated, Hrserv establishes connectivity with a remote server for further control.
This web-shell adeptly conceals its activities by mimicking regular internet traffic. It employs sophisticated techniques, including BASE64 coding and FNV1A64 record algorithms.
It has been reported that the Hrserv web-shell is capable of tampering with internet checks to make them appear as normal requests to Google.
Once activated, this malware can carry out various actions on an infected device, such as reading and recording files, as well as executing arbitrary commands. This enables attackers to steal data, monitor user activity, and potentially gain full control over the compromised computer.
Currently, it is known that this malware has only been used to target a state institution in Afghanistan. However, due to its complexity and ability to disguise itself, Hrserv could pose a threat to organizations and individuals worldwide.
The Kaspersky Lab’s investigation highlights the importance of remaining vigilant and utilizing advanced protection measures to safeguard against these types of threats. The team of experts will continue to study this web-shell and monitor associated activities to help prevent future attacks.