Malware, Phishing, Vulnerability Management

Spear phish uses Windows HLP files to skirt detection

Researchers have noted an increase in spear phishing targeting numerous industries, primarily in the United States, where malware evades detection by hiding inside Windows help (HLP) files attached to emails.

The HLP files are embedded in attachments that appear to users to be ZIP files. Once the files are opened, however, one of several backdoors will be downloaded, allowing an attacker to carry out a range of feats – from changing users' passwords to logging keystrokes to capturing screenshots or a number of other information-stealing tactics sent from the command-and-control server.  

Symantec published a blog post on the threat Monday and disclosed that organizations in the government and the financial and manufacturing sectors were among the targets of the campaign.

In a Tuesday interview with, Vikram Thakur, principal security response manager at Symantec, said that hundreds to thousands of these malicious emails have been sent out to victims around the globe, though the majority of attacks have targeted those in the U.S.

Other regions affected include Canada, Asia, India, the Middle East, U.K. and Europe, according to a map in Symantec's blog post.

“If someone double-clicks the [file], a box will pop up and it will show a help file icon, which usually looks like a blue icon with a question mark,” Thakur said. “Windows Help is supposed to display content for [users], but in the majority of the cases we see, the window will open up empty.”

Thakur said that saboteurs seek to steal intellectual property from victims that fall for the scam.

In August, network security firm Radware posted a threat alert on its blog warning users of a trojan keylogger, named Admin.HLP, that could configure the Windows startup process so that the trojan ran upon rebooting the computer. In that instance, too, Admin.HLP also skirted detection by concealing itself inside a Windows help file attached to emails.

The malware logged victims' keystrokes and remotely sent passwords, credit card numbers and other sensitive information to command-and-control servers owned by the criminals.

In an email Wednesday to, Ziv Gadot, senior security analyst at Radware, said the firm has continued to monitor the use of the Admin.HLP trojan since they discovered it. Gadot said researchers also found evidence of cyber criminals targeting the government sector through phishing.

"We do think the Admin.HLP [attack] method will become more popular," Gadot said. "Not necessarily with the specific Admin.HLP binary file, but with similar variations that use the concept of a help file."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.