Spear phish uses Windows HLP files to skirt detection

Share this article:

Researchers have noted an increase in spear phishing targeting numerous industries, primarily in the United States, where malware evades detection by hiding inside Windows help (HLP) files attached to emails.

The HLP files are embedded in attachments that appear to users to be ZIP files. Once the files are opened, however, one of several backdoors will be downloaded, allowing an attacker to carry out a range of feats – from changing users' passwords to logging keystrokes to capturing screenshots or a number of other information-stealing tactics sent from the command-and-control server.  

Symantec published a blog post on the threat Monday and disclosed that organizations in the government and the financial and manufacturing sectors were among the targets of the campaign.

In a Tuesday interview with SCMagazine.com, Vikram Thakur, principal security response manager at Symantec, said that hundreds to thousands of these malicious emails have been sent out to victims around the globe, though the majority of attacks have targeted those in the U.S.

Other regions affected include Canada, Asia, India, the Middle East, U.K. and Europe, according to a map in Symantec's blog post.

“If someone double-clicks the [file], a box will pop up and it will show a help file icon, which usually looks like a blue icon with a question mark,” Thakur said. “Windows Help is supposed to display content for [users], but in the majority of the cases we see, the window will open up empty.”

Thakur said that saboteurs seek to steal intellectual property from victims that fall for the scam.

In August, network security firm Radware posted a threat alert on its blog warning users of a trojan keylogger, named Admin.HLP, that could configure the Windows startup process so that the trojan ran upon rebooting the computer. In that instance, too, Admin.HLP also skirted detection by concealing itself inside a Windows help file attached to emails.

The malware logged victims' keystrokes and remotely sent passwords, credit card numbers and other sensitive information to command-and-control servers owned by the criminals.

In an email Wednesday to SCMagazine.com, Ziv Gadot, senior security analyst at Radware, said the firm has continued to monitor the use of the Admin.HLP trojan since they discovered it. Gadot said researchers also found evidence of cyber criminals targeting the government sector through phishing.

"We do think the Admin.HLP [attack] method will become more popular," Gadot said. "Not necessarily with the specific Admin.HLP binary file, but with similar variations that use the concept of a help file."

Share this article:

Sign up to our newsletters

More in News

Medical transcription provider settles data security charges

GMR Transcription Services in California agreed to settle FTC charges related to its security practices.

Researcher hacks network connected devices in own home

Researcher hacks network connected devices in own home

In his own home, a researcher was able to hack various network connected devices that are not computers and mobile phones.

Study: Most higher ed malware infections attributed to 'Flashback'

Study: Most higher ed malware infections attributed to ...

Flashback caused a stir in 2012 when some 650,000 Macs were infected with the malware.