Two months ago, the author of H1N1 loader released
a new version of his tool (H1N1v2) which he claims was completely rewritten. Some of the new features include a rewrote UAC bypass method and a new social engineering technique to elevate privileges if the malware runs at low integrity level. These two techniques and some general aspects of the new version will be discussed in this post.
The new version of H1N1 loader is made up of an loader (exe) and a payload (dll). The loader is a x86 executable without any imports and has a small file size of 14.5 KB. It contains the encrypted and Upack
compressed payload which has a size of 76 KB when unpacked. The used API functions of the loader and payload are resolved on the fly with the help of hashes instead of strings for both, library and API function names. Like in the previous version, sensitive strings are obfuscated
and get also deobfuscated on the fly just before they are used.
Elevate privileges through WMI
One of the tasks of the loader is to check for the OS version and the current mandatory integrity level of the process. If it runs on at least Windows Vista and the integrity level is anything below SECURITY_MANDATORY_MEDIUM_RID
, the loader tries to elevate privileges with the help of WMI console application. This is done by executing wmic.exe with ShellExecuteEx()
and passing the string process call create "<MalwareFilePath>"
along with runas
This results in the following UAC dialog box:
As you can see, the dialog box without any details doesn't look suspicious at first, because a legit Windows program is to be executed. An inexperienced user might click "Yes", not expecting a malicious application will be executed in the background. However, after expending the details menu you can see the malware which gets actually executed.
If someone falls for the trick, a new process of the malware with high integrity level will be created:
Finally, the old process will be terminated and the new process continues with the injection of the payload.
UAC bypass - modified Wusa method
If the loader process has at least SECURITY_MANDATORY_MEDIUM_RID
integrity level, it spawns a new instance of explorer.exe
and injects the decrypted payload into it. The payload then copies the Windows delta package expander dpx.dll
from the system directory into the AppData directory. Next, it opens dpx.dll to write a small shellcode into a code cave at the end of the .text section and patches the unconditional jump at the beginning of the dll in order to jump to the shellcode:
Then, it subsequently creates two cabinet files in AppData directory named both cabfile.cab
with first wusa.exe
and secondly the patched dpx.dll as contents. These two contents are extracted into the drivers
folder of the system directory with the help of wusa.exe and the command /quiet <CabFilePath> /extract:<TargetFilePath>
. Finally, wusa.exe
in the drivers
will be executed with ShellExecuteEx()
along with runas
. Due two the fact that wusa.exe still has the <autoElevate>true</autoElevate>
property present in all Windows versions it will be run as a high integrity level process. Further, since dpx.dll is one of the statically-linked libraries of wusa.exe, the patched version residing in the same directory gets loaded first at startup (DLL Side-Loading). This results in the shellcode inside dpx.dll being executed which in turn executes the original loader in the context of wusa.exe (high integrity). However, as EP_X0FF already pointed
out, this method doesn't work on Windows 10 which is kind of strange to implement such a technique...
Loader: https://www.virustotal.com/en/file/7b49 ... /analysis/
Payload: https://www.virustotal.com/en/file/8c21 ... 458057506/
https://www.virustotal.com/en/file/08c0 ... 458057548/
List of (decrypted) strings and used API functions of the loader
Code: Select all
process call create __s_
List of (decrypted) strings and used API functions of the payload
Code: Select all
cmd.exe /c makecab __s_
cmd.exe /c wusa /quiet __s_ /extract:__s_
cmd.exe /c net stop _s
cmd.exe /c sc config _s start= disabled
url: %s,login: %s,password: %s\r\n
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook