H1N1 malware is converting into an infostealer, researchers said.
The malware downloader, a specific type of virus focused on gaining a foothold on a victim’s PC, used to have very little features except the ability to bypass antivirus software, gain boot persistence, and download and install other malware.
H1N1 now includes a new UAC (User Access Control) bypass exploited via a DLL hijacking technique and unique code obfuscation techniques that make reverse engineering much harder.
The malware also comes with self-propagation features to spread to nearby computers on the same network (via network shares) or onto plugged-in USB drives.
H1N1 now has the ability to collect information from infected systems and send it to a central C&C server encrypted using the RC4 algorithm.
H1N1 can collect and steal information such as Firefox profile login data, Internet Explorer Intelliform data, and email login data from Microsoft Outlook. It’s not as much information as other infostealers can target, but this is most likely to expand in future versions.
Furthermore, researchers also detected H1N1 deletes shadow copies and disables system recovery options. “These commands are commonly used in conjunction with Ransomware, but we have not found evidence that H1N1 has been loading such types of malware,” Cisco’s Josh Reynolds said in a post.