Security Experts:

Radware Discovers New Trojan Keylogger Used in Targeted Attack

Radware Discovers “Admin.HLP” - A New Keylogger Used in Targeted Attack

Security researchers from Radware have discovered a new Trojan Key Logger named “Admin.HLP” that they say captures sensitive user information and attempts to export it to a server in a remote location.

The malicious file came hidden within a standard Windows help file named Amministrazione.hlp, and has been used in targeted attacks, against at least one Radware customer, Ronen Kenig, Director, Product Marketing, Security Products at Radware told SecurityWeek.

Admin.HLP Used In Targeted AttackRadware would not disclose the industry vertical for the customer that had been targeted and infected with the malware.

“The file is being spread through email”, Kenig said. “The malware is attached to a Windows help file, and when a user attempts to open the help file, they will see the help menu, but it will also invoke the Trojan which installs itself on the victim’s computer.

The tactic to use Windows help files as the infection vector is rarely seen, unlike other common .exe files that even novice users know could be dangerous.

“The general population are not aware the help files can be malicious as well,” Kenig said.

“By using HLP-script language, the attacker is able to inject the encrypted malicious payload and execute the stub to decrypt the Trojan code,” a threat analysis document obtained by SecurityWeek explained.

According to Radware, Admin.HLP monitors keystrokes on the victim’s computer, collect user passwords, credit card numbers and other sensitive information.

Data captured via the Key Logger function is saved into a file called “UserData.dat” within the ‘Application Data’ directory, the note explained.

As of today the file was not identified as malicious by any anti-virus vendor on VirusTotal, Kenig said.

The Trojan does not make use of a Command and Control (C&C) server, but simply attempts to exfiltrate data via to a remote “drop” server via an HTTPS connection.

The location of the drop server isn’t currently available, as the domain is not currently resolving to a host IP. However, the Trojan is programmed to send the collected data to the host “images.zyns.com”.

Interestingly, the domain (images.zyns.com) is actually hosted on dynamic DNS service, indicating that the attacker would have the ability to move the drop server to different server locations in the event one server is noticed or shut down.

“The Admin.HLP Trojan is hidden within a standard Windows help file named Amministrazione.hlp and attaches itself to emails,” Radware’s Ziv Gadot explained in a blog post. “This standard help file does not trigger a response from anti-virus software that may be installed, and therefore it slips under the radar of standard security protection.”

“In order to remain a persistent threat, Admin.HLP creates a startup file in Windows, guaranteeing that the Trojan is invoked after every restart of the computer,” Gadot added.

Kenig did emphasize that this appears to be a targeted attack, but organizations should take note, and realize that the same malware or variants of it could be used in similar attacks.

For Radware customers, a signature has been created to block all network communication between infected organizations and the attackers’ remote servers.

Just as we suggested yesterday on the subject of a recent Java exploit, it is a good idea search logs for connections to images.zyns.com or any other related IP or domain associated with this attack.

Even though images.zyns.com does not currently resolve to a host, it’s a good idea to block connections to that host name as well. Such an approach should be taken by network security administrators any time they know of a malicious host that endpoints are connecting to.

Since Radware isn’t an anti-malware company, they aren’t necessarily making a tool to identify or remove it.

While AV vendors may not be able to identify the malware yet, it’s likely that they will in the days ahead.