Two months ago, the author of H1N1 loader
released a new version of his tool (H1N1v2) which he claims was completely rewritten. Some of the new features include a rewrote UAC bypass method and a new social engineering technique to elevate privileges if the malware runs at low integrity level. These two techniques and some general aspects of the new version will be discussed in this post.
H1N1v2
The new version of H1N1 loader is made up of an loader (exe) and a payload (dll). The loader is a x86 executable without any imports and has a small file size of 14.5 KB. It contains the encrypted and
Upack compressed payload which has a size of 76 KB when unpacked. The used API functions of the loader and payload are resolved on the fly with the help of hashes instead of strings for both, library and API function names. Like in the previous version, sensitive strings are
obfuscated and get also deobfuscated on the fly just before they are used.
Elevate privileges through WMI
One of the tasks of the loader is to check for the OS version and the current mandatory integrity level of the process. If it runs on at least Windows Vista and the integrity level is anything below
SECURITY_MANDATORY_MEDIUM_RID, the loader tries to elevate privileges with the help of WMI console application. This is done by executing wmic.exe with
ShellExecuteEx() and passing the string
process call create "<MalwareFilePath>" as
lpParameters along with
runas as
lpVerb.
This results in the following UAC dialog box:
As you can see, the dialog box without any details doesn't look suspicious at first, because a legit Windows program is to be executed. An inexperienced user might click "Yes", not expecting a malicious application will be executed in the background. However, after expending the details menu you can see the malware which gets actually executed.
If someone falls for the trick, a new process of the malware with high integrity level will be created:
Finally, the old process will be terminated and the new process continues with the injection of the payload.
UAC bypass - modified Wusa method
If the loader process has at least
SECURITY_MANDATORY_MEDIUM_RID integrity level, it spawns a new instance of
explorer.exe and injects the decrypted payload into it. The payload then copies the Windows delta package expander
dpx.dll from the system directory into the AppData directory. Next, it opens dpx.dll to write a small shellcode into a code cave at the end of the .text section and patches the unconditional jump at the beginning of the dll in order to jump to the shellcode:
Then, it subsequently creates two cabinet files in AppData directory named both
cabfile.cab with first
wusa.exe and secondly the patched dpx.dll as contents. These two contents are extracted into the
drivers folder of the system directory with the help of wusa.exe and the command
/quiet <CabFilePath> /extract:<TargetFilePath>. Finally,
wusa.exe in the
drivers will be executed with
ShellExecuteEx() along with
runas as
lpVerb. Due two the fact that wusa.exe still has the
<autoElevate>true</autoElevate> property present in all Windows versions it will be run as a high integrity level process. Further, since dpx.dll is one of the statically-linked libraries of wusa.exe, the patched version residing in the same directory gets loaded first at startup (DLL Side-Loading). This results in the shellcode inside dpx.dll being executed which in turn executes the original loader in the context of wusa.exe (high integrity). However, as EP_X0FF already
pointed out, this method doesn't work on Windows 10 which is kind of strange to implement such a technique...
Files
Loader:
https://www.virustotal.com/en/file/7b49 ... /analysis/
Payload:
https://www.virustotal.com/en/file/8c21 ... 458057506/ (packed)
https://www.virustotal.com/en/file/08c0 ... 458057548/ (unpacked)
List of (decrypted) strings and used API functions of the loader
Code: Select allStrings:
runas
wmic
process call create __s_
\SysWOW64\explorer.exe
\explorer.exe
Ntdll.dll:
NtAllocateVirtualMemory
NtClose
NtCreateSection
NtMapViewOfSection
NtQueryInformationProcess
NtQuerySsystemInformation
NtUnmapViewOfSection
Kernel32.dll
CloseHandle
CreateProcessW
CreateToolhelp32Snapshot
ExitProcess
GetCurrentProcessId
GetModuleFileNameW
GetVersionExW
GetWindowsDirectoryW
LoadLibraryA
Process32First
Process32Next
ReadProcessMemory
ResumeThread
Sleep
VirtualAlloc
VirtualFree
lstrcmpiW
ltrslenW
Advapi32.dll:
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
OpenProcessToken
Shell32.dll:
ShellExecuteExW
User32.dll:
wsprintfW
List of (decrypted) strings and used API functions of the payload
Code: Select allStrings:
explorer.exe
spirate.biz:80/gate.php
M4AJQPCS9lLskNPbU21tdc9Z
\SysWOW64\
\System32\
wusa.exe
dpx.dll
drivers
cabfile.cab
cmd.exe /c makecab __s_
cmd.exe /c wusa /quiet __s_ /extract:__s_
cmd.exe /c net stop _s
cmd.exe /c sc config _s start= disabled
Software\Classes\http\shell\open\command
&browsers=
\Mozilla\Firefox\Profiles
\*.*
\logins.Json
\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
url: %s,login: %s,password: %s\r\n
&mails=
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
Email
POP3 Password
POP3 User
SMTP Port
SMTP Server
SMTP Password
SMTP User
HTTP/1.1
Accept: */*
accept-Encoding: none
accept-Language: en-US.q=0.8
Content-Type: application/x-www-form-urlencoded
Connection: close
RC4-Size:
get.adobe.com
flashplayer/download/?dualoffer=false&installer=%.8X
guid=%.8X%.8X&os=%d&bits=%d&pl=%d
guid=%.8X%.8X&report=
hostname
encryptedUsername
encryptedPassword
Ntdll.dll:
LdrProcessRelocationBlock
NtClose
NtCreateSection
NtMapViewOfSection
NtQueryInformationProcess
NtUnmapViewOfSection
Kernel32.dll:
CloseHandle
CopyFileW
CreateEventA
CreateFileA
CreateFileMappingA
CreateFileW
CreateProcessA
CreateProcessW
CreateThread
DeleteFileW
ExitProcess
FindClose
FindFirstFileA
FindNextFileA
GetFileAttributesA
GetFileAttributesW
GetFileSize
GetLocaleInfoA
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetShortPathNameA
GetVersionExW
GetVolumeInformationW
GetWindowsDirectoryW
LoadLibraryA
MapViewOfFile
OutputDebugStringA
OutputDebugStringW
ReadFile
ReadProcessMemory
ResumeThread
Sleep
UnmapViewOfFile
VirtualAlloc
VirtualFree
VirtualProtect
WaitForMultipleObjects
WaitForSingleObject
WideCharToMultiByte
WriteFile
lstrcat
lstrcpy
lstrcpyW
lstrlen
lstrlenW
Advapi32.dll:
AllocateAndInitializeSid
CheckTokenMembership
CloseServiceHandle
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseConext
EnumServiceStatusA
FreeSid
GetSidSubAuthority
GetSidSubAuthorityCount
GetTokenInformation
OpenProcessToken
OpenSCManagerA
RegCloseKey
RegCreateKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyW
RegQueryValueExA
RegQueryValueExW
RegSetValueExA
Urlmon.dll:
ObtainUserAgentString
Wininet.dll:
FindCloseUrlCache
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA
Shell32.dll:
SHGetSpecialFolderPathA
SHGetSpecialFolderPathW
ShellExecuteExW
User32.dll:
wsprintfA
wsprintfW
Crypt32.dll:
CryptUnprotectData
Ws2_32.dll:
WSACleanup
WSAStartup
closesocket
connect
gethostbyname
socket