.HLPing Targeted Attacks
Thanks to Takayoshi Nakayama for his research and contributions to this blog.
Targeted attacks have been a pretty popular topic of discussion in the security industry in recent years. Many may recall the incident involving Hydraq—from January 2010—and Shady RAT was something discussed more recently.
Most targeted attacks involve emails with malware attachments as the trigger point of the attack. Once a computer is infected with the malware, an attacker can compromise not only the computer, but can also work to expose the infrastructure of the targeted organization and the sensitive data it possesses.
In the early stages of the targeted attacks involving emails that I started seeing around 2005, attachments included files such as Word documents, Excel spreadsheets, PowerPoint presentations, and even Access database files. At some point along the way, PDF files as attachments came along. Of course, we can’t forget about the simple executables with forged icons that looked like Microsoft Office files. Targeted attacks have also used regional software as well. Software such as Ichitaro, developed by the Japanese vendor Justsystem, is a common target. Lhaca archiving software (developed by a Japanese author) was also exploited.
Now we’re seeing the Windows Help File (.hlp) extension being used to deliver these attacks. .hlp files are typically used by Windows Help, which is a program included in Windows that allows users search for and read help details. An .hlp file typically contains documentation and indexes for software and Windows. .hlp files are not new to the malware game; they have long been used, but not as email attachments for the infection vector.
So, why use this type of file? The reason may be because the attackers do not have to rely on vulnerabilities like they do for the other file types I mentioned above. Usually, a vulnerability needs to be exploited in order for malicious files to execute code. If the targeted system is patched, the attack will not succeed. However, .hlp files can call the Windows API and therefore run the shell code encoded in the file. So, by enticing a user to open an .hlp file, malicious files can easily be dropped onto a system. But from a user’s point of view, the only thing that happens is that Windows Help opens (as shown below).
Under normal circumstances, no user should ever receive .hlp files by email. However, email recipients can easily recognize the icon for the .hlp file type, as shown below:
Of the samples I have observed, none have forged icons. So, avoiding these files is relatively simple compared to other file types. However, since human beings are not perfect, one out of the many targets will eventually end up opening it. So, for those administrators securing their networks, if there isn’t any justification for allowing .hlp files to be delivered by email, I would advise that the file extension be filtered out.