Hellsing Targeted Attacks
Virus Type: Advanced Persistent Threat (APT)
What is Hellsing?
Hellsing is a small cyberespionage group targeting mostly government and diplomatic organizations in Asia. Deeper analysis of the Hellsing threat actor by Kaspersky Lab reveals a trail of spear-phishing emails with malicious attachments designed to propagate espionage malware among different organizations. If a victim opens the malicious attachment, their system becomes infected with a custom backdoor capable of downloading and uploading files, updating and uninstalling itself.
Who are the victims of these attacks?
Kaspersky Lab has detected and blocked Hellsing malware in Malaysia, the Philippines, India, Indonesia and the US, with most of the victims located in Malaysia and the Philippines.
Am I at risk?
You might be a target of Hellsing if the following risk factors are familiar to you:
- If you work for/with governments in APAC
- If you receive and read hundreds of emails, open attachments
- If you have received suspicious .scr files Inside RAR/ZIP archives, with password
How do I know if I’m infected?
Hellsing indicators of compromise are available at Securelist.com
Kaspersky Lab products detect the backdoors used by the Hellsing attacker as: HEUR:Trojan.Win32.Generic, Trojan-Dropper.Win32.Agent.kbuj, Trojan-Dropper.Win32.Agent.kzqq.
How can I protect myself?
To protect against the Hellsing attacks, make sure to follow basic security best practices:
- Don’t open attachments from unknown persons
- Regularly scan your PC with advanced antimalware solution
- Beware of password protected archives which contain SCR or other executable files inside
- If you are unsure about the attachment, try to open it in a sandbox
- Make sure you have a modern operating system with all patches installed
- Update all third party applications such as Microsoft Office, Java, Adobe Flash Player and Adobe Reader