S0132 H1N1
H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. 1
| Item | Value |
|---|---|
| ID | S0132 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | H1N1 kills and disables services by using cmd.exe.2 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | H1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.2 |
| enterprise | T1132 | Data Encoding | H1N1 obfuscates C2 traffic with an altered version of base64.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | H1N1 encrypts C2 traffic using an RC4 key.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | H1N1 kills and disables services for Windows Security Center, and Windows Defender.2 |
| enterprise | T1562.004 | Disable or Modify System Firewall | H1N1 kills and disables services for Windows Firewall.2 |
| enterprise | T1105 | Ingress Tool Transfer | H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.2 |
| enterprise | T1490 | Inhibit System Recovery | H1N1 disable recovery options and deletes shadow copies from the victim.2 |
| enterprise | T1027 | Obfuscated Files or Information | H1N1 uses multiple techniques to obfuscate strings, including XOR.1 |
| enterprise | T1027.002 | Software Packing | H1N1 uses a custom packing algorithm.1 |
| enterprise | T1091 | Replication Through Removable Media | H1N1 has functionality to copy itself to removable media.2 |
| enterprise | T1080 | Taint Shared Content | H1N1 has functionality to copy itself to network shares.2 |