Part of the job of a malware author is to constantly think up new ways of outsmarting researchers and bypassing automatic detection methods used by antivirus and other security software. These techniques are eventually recognized and incorporated into the defenses, but it’s always interesting for malware analysts to unearth new ones.
Panda Security malware researcher Bart Blaze has recently discovered a banking Trojan targeting Brazilian online banking users that employs a novel way to hide its real nature: its executables are delivered in the guise of .hlp (WinHelp) files.
The attack starts with fake invoice notices delivered via email:
Users who wish to review the invoice are urged to download a .zip file from a Dropbox account. Unfortunately, it contains an executable sporting a fake .docx extension and a MPEG-4 icon.
Once run, the currently poorly detected malware contacts a remote server and automatically downloads what seems to be a WInHelp file with a slightly better detection rate.
The file contains three more .hlp files, which are actually three Delphi executables with extensions renamed to HLP and packed with VMProtect.
“The files then get renamed randomly and a folder in %ProgramFiles% gets created with a random filename, for example: C:\Program Files\2x8H8g,” Blaze explains, and registry entries are added to assure the malware’s persistency in the system.
The malware’s ultimate goal is to collect targets’ financial data by harvesting it from their computer, by injecting bogus pop-up forms next time they log into their online banking accounts, or by diverting them to fake login pages. The malware might also help additional malware to be downloaded on the already compromised machines.
Apart from avoiding clicking links or downloading attachments included in unsolicited emails, Windows users can make sure they always know the actual extension of a file by deselecting the “Hide extensions for known file types” option in their folder options (View tab).