Spear phish uses Windows HLP files to skirt detection

Share this article:

Researchers have noted an increase in spear phishing targeting numerous industries, primarily in the United States, where malware evades detection by hiding inside Windows help (HLP) files attached to emails.

The HLP files are embedded in attachments that appear to users to be ZIP files. Once the files are opened, however, one of several backdoors will be downloaded, allowing an attacker to carry out a range of feats – from changing users' passwords to logging keystrokes to capturing screenshots or a number of other information-stealing tactics sent from the command-and-control server.  

Symantec published a blog post on the threat Monday and disclosed that organizations in the government and the financial and manufacturing sectors were among the targets of the campaign.

In a Tuesday interview with SCMagazine.com, Vikram Thakur, principal security response manager at Symantec, said that hundreds to thousands of these malicious emails have been sent out to victims around the globe, though the majority of attacks have targeted those in the U.S.

Other regions affected include Canada, Asia, India, the Middle East, U.K. and Europe, according to a map in Symantec's blog post.

“If someone double-clicks the [file], a box will pop up and it will show a help file icon, which usually looks like a blue icon with a question mark,” Thakur said. “Windows Help is supposed to display content for [users], but in the majority of the cases we see, the window will open up empty.”

Thakur said that saboteurs seek to steal intellectual property from victims that fall for the scam.

In August, network security firm Radware posted a threat alert on its blog warning users of a trojan keylogger, named Admin.HLP, that could configure the Windows startup process so that the trojan ran upon rebooting the computer. In that instance, too, Admin.HLP also skirted detection by concealing itself inside a Windows help file attached to emails.

The malware logged victims' keystrokes and remotely sent passwords, credit card numbers and other sensitive information to command-and-control servers owned by the criminals.

In an email Wednesday to SCMagazine.com, Ziv Gadot, senior security analyst at Radware, said the firm has continued to monitor the use of the Admin.HLP trojan since they discovered it. Gadot said researchers also found evidence of cyber criminals targeting the government sector through phishing.

"We do think the Admin.HLP [attack] method will become more popular," Gadot said. "Not necessarily with the specific Admin.HLP binary file, but with similar variations that use the concept of a help file."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.