Russian underground forums often serve as a marketplace for talented coders of sophisticated malware who develop attack tools to target the financial industry.
During routine monitoring of these forums, we came across a new type of malware loader called H1N1. Loaders are used as an initial intrusion vector, enabling an attacker to install malware on a workstation at a later time of his own choosing. They provide the attacker with both an initial foothold in the victim’s system and a future channel for delivering malicious programs at any time.
The new loader, which is named after the swine flu virus, was offered for sale in late April for $500 by a member of a Russian password-protected forum.
According to the sales thread, H1N1 is a non-resident loader. This means that it is executed in the system, installs the programs from its task list, and deletes itself after the computer is rebooted. (A resident loader, on the other hand, writes itself into the operating system and is not deleted after reboot. Since it receives commands from the C&C server, it can keep installing malicious software on the infected computer.)
- Bypasses User Account Control (UAC) through a UAC whitelist, which allows it to run files with elevated privileges. This bypass does not require use of additional .dll libraries or Windows Sysprep. If the loader is unable to receive elevated privileges, it will run programs with user privileges.
- Traffic in both directions is encrypted.
- Installs .exe files on the infected computer using Windows Instrumentation Management (WMI). The .dll files are installed from memory.
- Has an embedded security mechanism that recognizes when it is being executed in a virtual machine.
- Can be injected into the address space of legitimate system processes (of the default browsers).
- Bypasses AV and HIPS programs. With AV programs, it does this by identifying their running processes and paths, creating copies of the processes, injecting into the copied processes, and finally, disabling all threads of the AV software’s legitimate processes.
- Elevates privileges from a low integrity level by using WMI and exploiting the CVE-2014-4113 vulnerability.
- Identifies and neutralizes certain AV programs.
A number of forum members who claimed to have used the tool gave generally positive feedback but stated that it does not bypass all AV programs. According to the technical analysis (below), Kaspersky Internet Security identified the presence of the loader, while ESET NOD32 and Outpost Security Suite did not. Avira only identified the activity as malicious in some cases (depending on the crypt of the loader).
It is common practice on closed Russian forums for veteran, trusted members to analyze and validate malware sold by newbies to prevent them from cheating and selling a low-quality product. It is harder to find buyers for non-validated malware, especially if the seller is new to the forum (for a review of different types of sellers, see our previous post on this subject). Since a major part of the underground ecosystem is based on reputation and the hierarchy on different underground forums, an impartial entity whose role is to validate new goods is extremely important.
Ares, the administrator of a well-known Russian forum, conducted a validation analysis to check whether H1N1 really possesses the capabilities claimed by the seller, including the ability to bypass security measures. He published an extensive review on his forum.
According to Ares, the code is written in Assembly language and was obfuscated (for security purposes). Once all the initial procedures are loaded (the code utilizes kernel32 and advapi32 during loading), the loader launches the Explorer process from syswow64 on x64 systems and system32 on x86 systems. The process is mapped with a rewritten shellcode entrypoint.
The shellcode receives all of the necessary APIs and reads a packed binary file (which it extracts).
The binary is a .dll file that scans for various important API elements and then checks the hash signature of the filename through which the process was started. If the file name is Explorer, it tries to elevate its privileges.
Initially the malicious .dll file copies itself and patches with the shellcode. Later it moves the copied file into the system32/setup folder. After that, H1N1 runs several checks (such as OS version) and tries to elevate its privileges from medium to high.
The loader uses various methods to inject malicious content into legitimate processes. For example, if injection into a default browser fails, it tries to inject the malicious content through svchost.
Lastly, the execution module kicks in where the loader will be executed. The malware conducts fake network tests (for example, pinging various websites), collects information about the infected machine, and then requests content from the C&C server. The HTTP requests are encrypted with RC4 and the data length is transferred in the HTTP header.
Following publication of the analysis by Ares and in response to critical feedback from forum members, the seller has been updating and improving H1N1. For example, he responded to criticism of the UAC bypass by announcing that he had changed the bypass method and that it was now similar to the method used by the Carberp Trojan.
In later tests performed by several authoritative forum members, privilege escalation and the UAC bypass had a relatively low success rate. However, since then, the author claims to have fixed the problems with the loader.
An Important Recommendation
H1N1 uses bthudtask.exe for its purposes. This executable is part of Microsoft Windows and is usually located under C:\Windows\system32. The file description is “Bluetooth Uninstall Device Task.” If you do not require Bluetooth devices, we would strongly recommend removing the file from your end-points.
H1N1 is a new type of malware loader and is not yet very sophisticated. However, it has attracted the attention of many high-ranking Russian underground forum members, who have analyzed it and written about its weak points. This seems to be encouraging the seller to improve and upgrade his product and fix the bugs.