Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Radware Discovers New Trojan Keylogger Used in Targeted Attack

Radware Discovers “Admin.HLP” – A New Keylogger Used in Targeted Attack

Security researchers from Radware have discovered a new Trojan Key Logger named “Admin.HLP” that they say captures sensitive user information and attempts to export it to a server in a remote location.

Radware Discovers “Admin.HLP” – A New Keylogger Used in Targeted Attack

Security researchers from Radware have discovered a new Trojan Key Logger named “Admin.HLP” that they say captures sensitive user information and attempts to export it to a server in a remote location.

The malicious file came hidden within a standard Windows help file named Amministrazione.hlp, and has been used in targeted attacks, against at least one Radware customer, Ronen Kenig, Director, Product Marketing, Security Products at Radware told SecurityWeek.

Admin.HLP Used In Targeted AttackRadware would not disclose the industry vertical for the customer that had been targeted and infected with the malware.

“The file is being spread through email”, Kenig said. “The malware is attached to a Windows help file, and when a user attempts to open the help file, they will see the help menu, but it will also invoke the Trojan which installs itself on the victim’s computer.

The tactic to use Windows help files as the infection vector is rarely seen, unlike other common .exe files that even novice users know could be dangerous.

“The general population are not aware the help files can be malicious as well,” Kenig said.

“By using HLP-script language, the attacker is able to inject the encrypted malicious payload and execute the stub to decrypt the Trojan code,” a threat analysis document obtained by SecurityWeek explained.

According to Radware, Admin.HLP monitors keystrokes on the victim’s computer, collect user passwords, credit card numbers and other sensitive information.

Advertisement. Scroll to continue reading.

Data captured via the Key Logger function is saved into a file called “UserData.dat” within the ‘Application Data’ directory, the note explained.

As of today the file was not identified as malicious by any anti-virus vendor on VirusTotal, Kenig said.

The Trojan does not make use of a Command and Control (C&C) server, but simply attempts to exfiltrate data via to a remote “drop” server via an HTTPS connection.

The location of the drop server isn’t currently available, as the domain is not currently resolving to a host IP. However, the Trojan is programmed to send the collected data to the host “images.zyns.com”.

Interestingly, the domain (images.zyns.com) is actually hosted on dynamic DNS service, indicating that the attacker would have the ability to move the drop server to different server locations in the event one server is noticed or shut down.

“The Admin.HLP Trojan is hidden within a standard Windows help file named Amministrazione.hlp and attaches itself to emails,” Radware’s Ziv Gadot explained in a blog post. “This standard help file does not trigger a response from anti-virus software that may be installed, and therefore it slips under the radar of standard security protection.”

“In order to remain a persistent threat, Admin.HLP creates a startup file in Windows, guaranteeing that the Trojan is invoked after every restart of the computer,” Gadot added.

Kenig did emphasize that this appears to be a targeted attack, but organizations should take note, and realize that the same malware or variants of it could be used in similar attacks.

For Radware customers, a signature has been created to block all network communication between infected organizations and the attackers’ remote servers.

Just as we suggested yesterday on the subject of a recent Java exploit, it is a good idea search logs for connections to images.zyns.com or any other related IP or domain associated with this attack.

Even though images.zyns.com does not currently resolve to a host, it’s a good idea to block connections to that host name as well. Such an approach should be taken by network security administrators any time they know of a malicious host that endpoints are connecting to.

Since Radware isn’t an anti-malware company, they aren’t necessarily making a tool to identify or remove it.

While AV vendors may not be able to identify the malware yet, it’s likely that they will in the days ahead.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.