Banking Trojan disguised as innocuous Word and WinHelp files
Posted on 03.04.2013
Part of the job of a malware author is to constantly think up new ways of outsmarting researchers and bypassing automatic detection methods used by antivirus and other security software. These techniques are eventually recognized and incorporated into the defenses, but it's always interesting for malware analysts to unearth new ones.

Panda Security malware researcher Bart Blaze has recently discovered a banking Trojan targeting Brazilian online banking users that employs a novel way to hide its real nature: its executables are delivered in the guise of .hlp (WinHelp) files.

The attack starts with fake invoice notices delivered via email:


Users who wish to review the invoice are urged to download a .zip file from a Dropbox account. Unfortunately, it contains an executable sporting a fake .docx extension and a MPEG-4 icon.

Once run, the currently poorly detected malware contacts a remote server and automatically downloads what seems to be a WInHelp file with a slightly better detection rate.

The file contains three more .hlp files, which are actually three Delphi executables with extensions renamed to HLP and packed with VMProtect.

"The files then get renamed randomly and a folder in %ProgramFiles% gets created with a random filename, for example: C:\Program Files\2x8H8g," Blaze explains, and registry entries are added to assure the malware's persistency in the system.

The malware's ultimate goal is to collect targets' financial data by harvesting it from their computer, by injecting bogus pop-up forms next time they log into their online banking accounts, or by diverting them to fake login pages. The malware might also help additional malware to be downloaded on the already compromised machines.

Apart from avoiding clicking links or downloading attachments included in unsolicited emails, Windows users can make sure they always know the actual extension of a file by deselecting the "Hide extensions for known file types" option in their folder options (View tab).









Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //