H1N1 Loader

H1N1 is a piece of malware that first emerged online in 2015. Back then, it appeared to have one sole purpose: introducing additional malware to the compromised host. However, the H1N1 Loader kept on receiving updates aiming to extend its functionality and introduce new features like an info collecting module that can obtain data from compromised systems. The H1N1 Loader has been used in combination with notorious malware families such as the Pony Botnet and Vawtrak. Apart from loading malware implants like the latter, the first variations of the H1N1 Loader also were capable of obtaining system information and sending it to a remote control server.

The H1N1 Loader is spread via fake Microsoft Office documents containing a corrupted macro script frequently. Often, the files may pose as important documents related to credits, debt, taxes, bank confirmation, card information, etc. When launched, the documents use a misleading message to prompt the user to click the 'Enable Content' button, which would allow the execution of macros. Once this requirement is met, the corrupted document may use the embedded macro scripts to try and deploy the H1N1 Loader.

The H1N1 Loader uses the process hollowing techniques to hijack the 'explorer.exe' Windows process and inject the corrupted code to execute in its memory. This is a common feature among Trojan loaders and downloaders since they may be able to avoid some debugging tools and automated detection utilities by exploiting legitimate Windows processes.

Taking the necessary measures to stop first-stage payloads like the H1N1 Loader can save you a lot of trouble. This malware's ability to deploy additional applications is very threatening, and users should prevent this by investing in reputable anti-virus software.