Banking Trojan disguised as innocuous Word and WinHelp files
Posted on 03.04.2013
Part of the job of a malware author is to constantly think up new ways of outsmarting researchers and bypassing automatic detection methods used by antivirus and other security software. These techniques are eventually recognized and incorporated into the defenses, but it's always interesting for malware analysts to unearth new ones.

Panda Security malware researcher Bart Blaze has recently discovered a banking Trojan targeting Brazilian online banking users that employs a novel way to hide its real nature: its executables are delivered in the guise of .hlp (WinHelp) files.

The attack starts with fake invoice notices delivered via email:

Users who wish to review the invoice are urged to download a .zip file from a Dropbox account. Unfortunately, it contains an executable sporting a fake .docx extension and a MPEG-4 icon.

Once run, the currently poorly detected malware contacts a remote server and automatically downloads what seems to be a WInHelp file with a slightly better detection rate.

The file contains three more .hlp files, which are actually three Delphi executables with extensions renamed to HLP and packed with VMProtect.

"The files then get renamed randomly and a folder in %ProgramFiles% gets created with a random filename, for example: C:\Program Files\2x8H8g," Blaze explains, and registry entries are added to assure the malware's persistency in the system.

The malware's ultimate goal is to collect targets' financial data by harvesting it from their computer, by injecting bogus pop-up forms next time they log into their online banking accounts, or by diverting them to fake login pages. The malware might also help additional malware to be downloaded on the already compromised machines.

Apart from avoiding clicking links or downloading attachments included in unsolicited emails, Windows users can make sure they always know the actual extension of a file by deselecting the "Hide extensions for known file types" option in their folder options (View tab).


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th