Spear phish uses Windows HLP files to skirt detection

By on
Spear phish uses Windows HLP files to skirt detection

An increase in spear phishing, where trojans are hidden inside Windows help files, is assisting attackers in stealing information from a variety of industries.

Researchers have noted an increase in spear phishing targeting numerous industries, primarily in the United States, where malware evades detection by hiding inside Windows help (HLP) files attached to emails.

The HLP files are embedded in attachments that appear to users to be ZIP files. Once the files are opened, however, one of several backdoors will be downloaded, allowing an attacker to carry out a range of feats – from changing users' passwords to logging keystrokes to capturing screenshots or a number of other information-stealing tactics sent from the command-and-control server.  

Symantec published a blog post on the threat Monday and disclosed that organizations in the government and the financial and manufacturing sectors were among the targets of the campaign.

Principal security response manager Vikram Thakur said that hundreds to thousands of these malicious emails have been sent out to victims around the globe, though the majority of attacks have targeted those in the US.

Other regions affected include Canada, Asia, India, the Middle East, UK and Europe, according to a map in Symantec's blog post.

“If someone double-clicks the [file], a box will pop up and it will show a help file icon, which usually looks like a blue icon with a question mark,” Thakur said.

“Windows Help is supposed to display content for [users], but in the majority of the cases we see, the window will open up empty.”

Thakur said that saboteurs seek to steal intellectual property from victims that fall for the scam.

In August, network security firm Radware posted a threat alert on its blog warning users of a trojan keylogger, named Admin.HLP, that could configure the Windows startup process so that the trojan ran upon rebooting the computer.

In that instance, too, Admin.HLP also skirted detection by concealing itself inside a Windows help file attached to emails.

The malware logged victims' keystrokes and remotely sent passwords, credit card numbers and other sensitive information to command-and-control servers owned by the criminals.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
In Partnership With

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?