H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. [1]

ID: S0132
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).[2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

H1N1 kills and disables services by using cmd.exe.[2]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

H1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.[2]

Enterprise T1132 Data Encoding

H1N1 obfuscates C2 traffic with an altered version of base64.[2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

H1N1 encrypts C2 traffic using an RC4 key.[2]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

H1N1 kills and disables services for Windows Security Center, and Windows Defender.[2]

.004 Impair Defenses: Disable or Modify System Firewall

H1N1 kills and disables services for Windows Firewall.[2]

Enterprise T1105 Ingress Tool Transfer

H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[2]

Enterprise T1490 Inhibit System Recovery

H1N1 disable recovery options and deletes shadow copies from the victim.[2]

Enterprise T1027 Obfuscated Files or Information

H1N1 uses multiple techniques to obfuscate strings, including XOR.[1]

.002 Software Packing

H1N1 uses a custom packing algorithm.[1]

Enterprise T1091 Replication Through Removable Media

H1N1 has functionality to copy itself to removable media.[2]

Enterprise T1080 Taint Shared Content

H1N1 has functionality to copy itself to network shares.[2]