Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Radware Discovers New Trojan Keylogger Used in Targeted Attack

Radware Discovers “Admin.HLP” – A New Keylogger Used in Targeted Attack

Security researchers from Radware have discovered a new Trojan Key Logger named “Admin.HLP” that they say captures sensitive user information and attempts to export it to a server in a remote location.

Radware Discovers “Admin.HLP” – A New Keylogger Used in Targeted Attack

Security researchers from Radware have discovered a new Trojan Key Logger named “Admin.HLP” that they say captures sensitive user information and attempts to export it to a server in a remote location.

The malicious file came hidden within a standard Windows help file named Amministrazione.hlp, and has been used in targeted attacks, against at least one Radware customer, Ronen Kenig, Director, Product Marketing, Security Products at Radware told SecurityWeek.

Admin.HLP Used In Targeted AttackRadware would not disclose the industry vertical for the customer that had been targeted and infected with the malware.

“The file is being spread through email”, Kenig said. “The malware is attached to a Windows help file, and when a user attempts to open the help file, they will see the help menu, but it will also invoke the Trojan which installs itself on the victim’s computer.

The tactic to use Windows help files as the infection vector is rarely seen, unlike other common .exe files that even novice users know could be dangerous.

“The general population are not aware the help files can be malicious as well,” Kenig said.

“By using HLP-script language, the attacker is able to inject the encrypted malicious payload and execute the stub to decrypt the Trojan code,” a threat analysis document obtained by SecurityWeek explained.

According to Radware, Admin.HLP monitors keystrokes on the victim’s computer, collect user passwords, credit card numbers and other sensitive information.

Advertisement. Scroll to continue reading.

Data captured via the Key Logger function is saved into a file called “UserData.dat” within the ‘Application Data’ directory, the note explained.

As of today the file was not identified as malicious by any anti-virus vendor on VirusTotal, Kenig said.

The Trojan does not make use of a Command and Control (C&C) server, but simply attempts to exfiltrate data via to a remote “drop” server via an HTTPS connection.

The location of the drop server isn’t currently available, as the domain is not currently resolving to a host IP. However, the Trojan is programmed to send the collected data to the host “images.zyns.com”.

Interestingly, the domain (images.zyns.com) is actually hosted on dynamic DNS service, indicating that the attacker would have the ability to move the drop server to different server locations in the event one server is noticed or shut down.

“The Admin.HLP Trojan is hidden within a standard Windows help file named Amministrazione.hlp and attaches itself to emails,” Radware’s Ziv Gadot explained in a blog post. “This standard help file does not trigger a response from anti-virus software that may be installed, and therefore it slips under the radar of standard security protection.”

“In order to remain a persistent threat, Admin.HLP creates a startup file in Windows, guaranteeing that the Trojan is invoked after every restart of the computer,” Gadot added.

Kenig did emphasize that this appears to be a targeted attack, but organizations should take note, and realize that the same malware or variants of it could be used in similar attacks.

For Radware customers, a signature has been created to block all network communication between infected organizations and the attackers’ remote servers.

Just as we suggested yesterday on the subject of a recent Java exploit, it is a good idea search logs for connections to images.zyns.com or any other related IP or domain associated with this attack.

Even though images.zyns.com does not currently resolve to a host, it’s a good idea to block connections to that host name as well. Such an approach should be taken by network security administrators any time they know of a malicious host that endpoints are connecting to.

Since Radware isn’t an anti-malware company, they aren’t necessarily making a tool to identify or remove it.

While AV vendors may not be able to identify the malware yet, it’s likely that they will in the days ahead.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...