The H1N1 malware is slowly turning into an infostealer, according to reports from security experts at Cisco, Proofpoint, and independent researchers.
This old threat is what’s known as a “malware downloader,” a specific type of virus that is specialized in gaining a foothold on a victim’s PC, with little features except the ability to bypass antivirus software, gain boot persistence, and download & install other more potent malware.
According to a report from Cisco published this week, and one from Proofpoint released in May (citing researchers on KernelMode), recent H1N1 versions contain a lot more features which, in theory, should place H1N1 in the infostealer category.
Experts say that H1N1 now includes a shiny new UAC (User Access Control) bypass exploited via a novel DLL hijacking technique and unique code obfuscation techniques that make reverse engineering much harder.
The malware also comes with self-propagation features to spread to nearby computers on the same network (via network shares) or onto plugged-in USB drives.
Most importantly, H1N1 now has the ability to collect information from infected systems and send it to a central C&C server encrypted using the RC4 algorithm.
H1N1 can collect and steal information such as Firefox profile login data, Internet Explorer Intelliform data, and email login data from Microsoft Outlook. It’s not as much information as other infostealers can target, but this is most likely to expand in future versions.
Furthermore, researchers also detected that H1N1 deletes shadow copies and disables system recovery options. “These commands are commonly used in conjunction with Ransomware, but we have not found evidence that H1N1 has been loading such types of malware,” Cisco’s Josh Reynolds explains.
H1N1 has been historically seen in campaigns that spread the Pony infostealer or the Vawtrack banking trojan, but recent campaigns are dropping H1N1 and nothing else. The malware dropper functionality is still there, and attackers could deploy it in the future if necessary.