H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. [1]

ID: S0132
Platforms: Windows

Version: 1.1

Techniques Used

EnterpriseT1088Bypass User Account ControlH1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).[2]
EnterpriseT1059Command-Line InterfaceH1N1 kills and disables services by using cmd.exe.[2]
EnterpriseT1003Credential DumpingH1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.[2]
EnterpriseT1001Data ObfuscationH1N1 obfuscates C2 traffic with an altered version of base64.[2]
EnterpriseT1089Disabling Security ToolsH1N1 kills and disables services for Windows Firewall, Windows Security Center, and Windows Defender.[2]
EnterpriseT1490Inhibit System RecoveryH1N1 disable recovery options and deletes shadow copies from the victim.[2]
EnterpriseT1027Obfuscated Files or InformationH1N1 uses multiple techniques to obfuscate strings, including XOR.[1]
EnterpriseT1105Remote File CopyH1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[2]
EnterpriseT1091Replication Through Removable MediaH1N1 has functionality to copy itself to removable media.[2]
EnterpriseT1045Software PackingH1N1 uses a custom packing algorithm.[1]
EnterpriseT1032Standard Cryptographic ProtocolH1N1 encrypts C2 traffic using an RC4 key.[2]
EnterpriseT1080Taint Shared ContentH1N1 has functionality to copy itself to network shares.[2]