H1N1 Loader

H1N1 Loader Description

The H1N1 malware was first detected in the wild as a simple loader - it was tasked with delivering other more complex malware threats to the already compromised computer. However, it underwent a rapid evolution, with the hackers behind it equipping the threat with various threatening functions such as obfuscation techniques for hampering any analysis attempts, User Account Control bypass function, data collection and self-propagation in the infiltrated network. Of course, the loader functions were still kept intact. 

H1N1 was delivered to the targeted system through MS Word documents that carry corrupted VBA macros. To hide the macro's true purpose, heavy obfuscation, the use of the string functions StrReverse, Ucase, Lcase, Right, Mid and Left is put in place. The poisoned documents use social-engineering tactics to convince the user into executing the corrupted macro by showing a scrambled block accompanied by the message - 'Enable Content to adjust this document to your version of Microsoft Word.' The macro's end goal is to drop an H1N1 executable file to %temp% and then run it. 

H1N1 itself employs two anti-detection and analysis techniques - string obfuscation and import obfuscation through import hashing. String obfuscation is achieved through the use of SUB, XOR, and ADD with fixed DWORD values. When each operation is resolved, it is used as the input for the next one.

To bypass the User Account Control (UAC) of Windows systems, H1N1 exploited a DLL hijacking vulnerability. It forced the Windows Update Standalone Installer (wusa.exe) to run a corrupted DLL file as a high integrity process without elicitin a UAC response. Another tool that was attached to H1N1 was a process kill function. The threat has an internal list of processes, and if a match is detected on the compromised system, it is killed via the 'cmd.exe /c net stop [Service Name]' command. The process also is prevented from being started on any subsequent system boot through 'cmd.exe /c sc config [Service Name] start= disabled.' H1N1's list consisted of 5 processes, with four of them being:

  • MpsSvc - Windows Firewall Service
  • wscsvc - Windows Security Center Service
  • WinDefend - Windows Defender Service
  • wuauserv - Windows Update Service.

A rather peculiar aspect of H1N1 was its ability to delete system backups. This functionality is used by ransomware threats commonly but is evoked in other malware types rarely. In this case, the Shadow Volume Copies of the files are deleted through the 'vssadmin.exe delete shadows /quiet /all,' while the default windows recovery options were disabled by executing bcdedit commands.

The most drastic switch in behavior, however, was the transition of H1N1 from being a loader malware to become a potent data exfiltration threat primarily. The H1N1 loader could extract login information data from Firefox. It searched for the login data file 'logins.json' within all the system profiles and exfiltrated the values that matched the 'encryptedUsername,' 'encryptedPassword,' and 'hostname' keys. To gain access to Internet Explorer login credentials, the threat first enumerated the URL cache, hashed the URLs there, and tried to match them with the values stored in - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook and HKLM\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook.

H1N1 Loader is a perfect example of how through iteration and constant development, even not so sophisticated threats can become potent parts of cybercriminals' toolkits.