Targeted Attacks Make WinHelp Files Not So Helpful

Last year Symantec reported on the use of the Windows Help File (.hlp) extension as an attack vector in targeted attacks. Symantec telemetry is now increasingly seeing this attack vector being used in targeted attacks against industry and government sectors. The nefarious WinHelp files being used in these targeted attacks are detected by Symantec as Bloodhound.HLP.1 and Bloodhound.HLP.2.

Figure 1. Zip file attachment with malicious .hlp file

The increase in the use of WinHelp files as an attack vector can be attributed to attackers who do not require the use of an exploit to successfully compromise a computer. Attackers use social engineering to attempt to dupe a victim into opening a Windows help file contained within a targeted email. The functionality of the help file permits a call to the Windows API which, in turn, permits shell code execution and the installation of malicious payload files. This functionality is not an exploit, but there by design. Microsoft is already aware of the security implications of this functionality, and as far back as 2006 began to phase out WinHelp as a supported platform. However, the phase out has not stopped attackers from seeing WinHelp as an attractive means of attacking targets.

Figure 2. Bloodhound.HLP.1 and Bloodhound.HLP.2 detection heatmap

While Symantec continues to see an increase in this attack vector in the wild, we have identified two main threats in particular using this technique: Trojan.Ecltys and Backdoor.Barkiofork. Both threats are known to be limited to targeted attacks against industry and government sectors.

As always, it is recommended that you keep your antivirus updated and use the latest Symantec technologies to ensure the best possible protection against such threats. If you believe that you have been affected by any of the threats mentioned and require further assistance, please contact Symantec.