Keypoints
- Initial execution: PAExec.exe creates a scheduled task named MicrosoftsUpdate that runs a .BAT to copy hrserv.dll to System32 and register/activate a service.
- HrServ registers an HTTP listener via the Windows HTTP Server API and HttpAddUrlToGroup at a GUID-based URL (e.g., http://+:80/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/).
- Client-server messages use custom encoding (Base64 plus FNV1A64 hashing) and rely on a GET parameter cp and the NID cookie value to select functionality and hide requests using Google-like parameter names.
- cp parameter controls behavior: cp=0 allocates memory and starts a thread; cp=1 writes POST data to a file; cp=2 reads a file and returns it as a data:image/png;base64 response; cp=4/7 return OWA HTML; cp=6 triggers in-memory code execution.
- Code execution (cp=6) decodes the NID cookie, writes it to HKEY_LOCAL_MACHINESOFTWAREMicrosoftIdentityStoreRemoteFile, copies decoded POST payload into memory, creates a thread, and executes in-memory; registry and %temp% files are used as a communication channel with a multifunctional implant.
- Post-infection cleanup deletes the MicrosoftsUpdate scheduled task and removes the DLL and batch files to erase traces.
- Older variants (dating to 2021) use a different URL (e.g., https://+:443/owa/MSExchangeService.svc) and, instead of in-memory threads, spawn a process and retrieve output via a pipe.
MITRE Techniques
- None β The article does not explicitly reference MITRE ATT&CK technique IDs; it describes behaviors (scheduled task creation, service registration, in-memory execution, web shell HTTP listener, encoded C2) but no MITRE technique identifiers are provided.
Indicators of Compromise
- [File hashes] Sample identifiers β 418657bf50ee32acc633b95bac4943c6 (MD5), 8043e6c6b5e9e316950ddb7060883de119e54f226ab7a320b743be99b9c10ec5 (SHA256), and 2 more hashes listed in the source.
- [Filenames / processes] Deployment artifacts β hrserv.dll, $publicJKNLA.bat, PAExec.exe.
- [Scheduled task] Persistence entry β MicrosoftsUpdate (created and later deleted via schtasks).
- [Registry key] Communication/persistence β HKEY_LOCAL_MACHINESOFTWAREMicrosoftIdentityStoreRemoteFile (used to store decoded NID cookie values).
- [URLs] Web shell listener endpoints β http://+:80/FC4B97EB-2965-4A3B-8BAD-B8172DE25520/ and older variant https://+:443/owa/MSExchangeService.svc.
The actor used PAExec.exe to create a scheduled task named βMicrosoftsUpdateβ that executed a batch script to copy the delivered DLL (hrserv.dll) into the System32 directory, register a service via registry modifications and sc.exe, and start that service. The DLL registers an HTTP listener using the Windows HTTP Server API and calls HttpAddUrlToGroup to bind a GUID-based URL; incoming requests use Google-like GET parameters (notably cp) and an NID cookie value, with client/server data encoded using Base64 and FNV1A64 hashing.
Functionality is selected by the cp GET parameter: cp=0 allocates memory and spawns a thread with a decoded NID value; cp=1 creates a file named from the decoded NID and writes decoded POST data; cp=2 reads that file and returns it appended to βdata:image/png;base64β (with a specific fallback string on error); cp=4 and cp=7 return Outlook Web App HTML; cp=6 decodes the NID, writes it to HKEY_LOCAL_MACHINESOFTWAREMicrosoftIdentityStoreRemoteFile, copies decoded POST payload into memory, creates a thread, and executes code in-memory. In observed cases a multifunctional in-memory implant is launched that communicates back via %temp% files and registry values; after successful implantation the operator deletes the scheduled task and initial files to remove traces.
Earlier variants from 2021 perform the same custom decoding and error handling but differ in URL (e.g., https://+:443/owa/MSExchangeService.svc) and in execution approach (they create a process and capture output via a pipe instead of allocating memory and creating a thread). Relevant IOCs include multiple file hashes published with the report and the artifacts listed above; the sampleβs compile timestamps and telemetry tie related variants to activity since 2021 with at least one victim in Afghanistan.
Read more: https://securelist.com/hrserv-apt-web-shell/111119/