Security researchers at Proofpoint, Cisco and other individual experts alarm that the H1N1 malware, previously known as a malware downloader, is slowly but surely moving into the infostealer category.
Until now H1N1 was referred to as a malware downloader with a few features but able to compromise a victim`s machine. However, these features didn’t include the capability to gain boot persistence, or download & install other malware or to bypass antivirus software.
And yet, newer versions of H1N1 are a lot closer to infostealing malware than to just droppers, report Cisco and Proofpoint security firms. According to them, H1N1 has been upgraded with a new UAC (User Access Control) bypass, exploited via new DLL hijacking technique and unique code obfuscation techniques, making reverse engineering much harder. H1N1 is also able to self-spread itself onto connected USB drives as well as to computer on the same network.
The biggest modification, however, is the H1N1`s ability to gather information from compromised PCs, encrypt it using the RC4 algorithm and then send it to a central C&C server. The type of information the malware is able to steal includes Internet Explorer Intelliform data, email login data from Microsoft Outlook and Firefox profile login data. This is not much compared to other more advanced infostealers but researchers believe that its future versions` target lists will include a lot more.
Moreover, H1N1 was also detected to be able to delete shadow copies and disables system recovery options.
“These commands are commonly used in conjunction with Ransomware, but we have not found evidence that H1N1 has been loading such types of malware.” – Cisco’s researcher, Josh Reynolds, explains.
Previously, H1N1 was distributed by campaigns that deliver the Vawtrack banking Trojan and the Pony infostealer, but its recent versions are being spread on their own by recent spam flood, Cisco says. The messages come with a malevolent DOC file attached which relies on the classic “Enable Editing” macro activation trick to run an embedded VBA script that downloads and installs H1N1.
At this point, the spam emails are targeting organizations in the financial, communications, military, government and the energy sectors, with different email subjects to trick employees into opening them.
Cisco, using data provided by OpenDNS, managed to discover that the H1N1`s authors have registered 177 domains to send the spam flood that spread these new H1N1 versions, using the marekkazuewsky@gazeta.pl address.
Moreover, it turned out that the H1N1 gang had quite the previous experience in malware distribution. The researchers were able to link these domains and the gang to other malware spreading campaigns. The threats spread in the past include the Rovnix banking Trojan, a variant of the Zeus banking Trojan, the Virut (botnet) Trojan, Bayrob backdoor Trojan, the Sality (botnet) Trojan and some generic ransomware versions.
An interesting coincidence is the fact that the Bayrob backdoor Trojan also received an upgrade after nine years and it happened around the same time the infostealing H1N1 version was first detected by Proofpoint.
“H1N1 is an example of the many dropper variants that continue to evolve over time, and become threats to your organization in and of themselves, as opposed to the sophisticated variants they are meant to drop.” – Cisco’s Emmett Koen says – “The amount of obfuscation within this binary demonstrates the length at which malware authors are prepared to protect their original code, and even with this amount of complexity there are still a large number of variants that present much larger challenges for analysts.”
