Spear phish uses Windows HLP files to skirt detection

Share this article:

Researchers have noted an increase in spear phishing targeting numerous industries, primarily in the United States, where malware evades detection by hiding inside Windows help (HLP) files attached to emails.

The HLP files are embedded in attachments that appear to users to be ZIP files. Once the files are opened, however, one of several backdoors will be downloaded, allowing an attacker to carry out a range of feats – from changing users' passwords to logging keystrokes to capturing screenshots or a number of other information-stealing tactics sent from the command-and-control server.  

Symantec published a blog post on the threat Monday and disclosed that organizations in the government and the financial and manufacturing sectors were among the targets of the campaign.

In a Tuesday interview with SCMagazine.com, Vikram Thakur, principal security response manager at Symantec, said that hundreds to thousands of these malicious emails have been sent out to victims around the globe, though the majority of attacks have targeted those in the U.S.

Other regions affected include Canada, Asia, India, the Middle East, U.K. and Europe, according to a map in Symantec's blog post.

“If someone double-clicks the [file], a box will pop up and it will show a help file icon, which usually looks like a blue icon with a question mark,” Thakur said. “Windows Help is supposed to display content for [users], but in the majority of the cases we see, the window will open up empty.”

Thakur said that saboteurs seek to steal intellectual property from victims that fall for the scam.

In August, network security firm Radware posted a threat alert on its blog warning users of a trojan keylogger, named Admin.HLP, that could configure the Windows startup process so that the trojan ran upon rebooting the computer. In that instance, too, Admin.HLP also skirted detection by concealing itself inside a Windows help file attached to emails.

The malware logged victims' keystrokes and remotely sent passwords, credit card numbers and other sensitive information to command-and-control servers owned by the criminals.

In an email Wednesday to SCMagazine.com, Ziv Gadot, senior security analyst at Radware, said the firm has continued to monitor the use of the Admin.HLP trojan since they discovered it. Gadot said researchers also found evidence of cyber criminals targeting the government sector through phishing.

"We do think the Admin.HLP [attack] method will become more popular," Gadot said. "Not necessarily with the specific Admin.HLP binary file, but with similar variations that use the concept of a help file."

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.