Skip to content

S0132 H1N1

H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. 1

Item Value
ID S0132
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell H1N1 kills and disables services by using cmd.exe.2
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers H1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.2
enterprise T1132 Data Encoding H1N1 obfuscates C2 traffic with an altered version of base64.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography H1N1 encrypts C2 traffic using an RC4 key.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools H1N1 kills and disables services for Windows Security Center, and Windows Defender.2
enterprise T1562.004 Disable or Modify System Firewall H1N1 kills and disables services for Windows Firewall.2
enterprise T1105 Ingress Tool Transfer H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.2
enterprise T1490 Inhibit System Recovery H1N1 disable recovery options and deletes shadow copies from the victim.2
enterprise T1027 Obfuscated Files or Information H1N1 uses multiple techniques to obfuscate strings, including XOR.1
enterprise T1027.002 Software Packing H1N1 uses a custom packing algorithm.1
enterprise T1091 Replication Through Removable Media H1N1 has functionality to copy itself to removable media.2
enterprise T1080 Taint Shared Content H1N1 has functionality to copy itself to network shares.2


Back to top