Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta)
Contents
Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta)
The attack group Lazarus (also known as Hidden Cobra) conducts various attack operations. This article introduces malware (VSingle and ValeforBeta) and tools used in attacks against Japanese organisations.
VSingle overview
VSingle is a HTTP bot which executes arbitrary code from a remote network. It also downloads and executes plugins.
Once launched, this malware runs Explorer and executes its main code through DLL injection. (Some samples do not perform DLL injection.) The main code contains the following PDB path:
G:\Valefor\Valefor_Single\Release\VSingle.pdb
The next sections describe VSingle's obfuscation technique and communication format.
VSingle obfuscation technique
Most of the strings in VSingle are obfuscated. Figure 1 shows the code to disable obfuscation. A fixed key value (o2pq0qy4ymcrbe4s) decodes the strings by XOR.
Below is some parts of decoded strings:
[+] Download Parameter Error [+] Download Result [+] Upload Result [+] Upload Parameter Error [+] Interval Interval was set to [+] Plugin Download Result [+] Update [+] Info [+] …
The attack group Lazarus (also known as Hidden Cobra) conducts various attack operations. This article introduces malware (VSingle and ValeforBeta) and tools used in attacks against Japanese organisations.
VSingle overview
VSingle is a HTTP bot which executes arbitrary code from a remote network. It also downloads and executes plugins.
Once launched, this malware runs Explorer and executes its main code through DLL injection. (Some samples do not perform DLL injection.) The main code contains the following PDB path:
G:\Valefor\Valefor_Single\Release\VSingle.pdb
The next sections describe VSingle's obfuscation technique and communication format.
VSingle obfuscation technique
Most of the strings in VSingle are obfuscated. Figure 1 shows the code to disable obfuscation. A fixed key value (o2pq0qy4ymcrbe4s) decodes the strings by XOR.
Below is some parts of decoded strings:
[+] Download Parameter Error [+] Download Result [+] Upload Result [+] Upload Parameter Error [+] Interval Interval was set to [+] Plugin Download Result [+] Update [+] Info [+] …
IoC
3.90.97.16
487c1bdb65634a794fa5e359c383c94945ce9f0806fcad46440e919ba0e6166e
eb846bb491bea698b99eab80d58fd1f2530b0c1ee5588f7ea02ce0ce209ddb60
http://3.90.97.16/doc/total.php
http://aquagoat.com/customer
http://blacktiger.com/input
http://bluecow.com/input
http://bluedog.com/submit
http://coraltiger.com/search
http://goldtiger.com/find
http://greentiger.com/submit
http://industryarticleboard.com/evolution
http://industryarticleboard.com/view
http://katawaku.jp/bbs/data/group/group-manager.php
http://maturicafe.com/main
http://pinkgoat.com/input
http://purewatertokyo.com/list
http://purplefrog.com/remove
http://salmonrabbit.com/find
http://toysbagonline.com/reviews
http://whitedragon.com/search
http://www.karin-store.com/data/config/total_manager.php
http://yellowlion.com/remove
https://coralcameleon.com/register
https://industryarticleboard.com/article
https://maturicafe.com/polo
https://maturicafe.com/polo/[Unix
https://salmonrabbit.com/login
https://whitecameleon.com/find
https://whiterabbit.com/input
487c1bdb65634a794fa5e359c383c94945ce9f0806fcad46440e919ba0e6166e
eb846bb491bea698b99eab80d58fd1f2530b0c1ee5588f7ea02ce0ce209ddb60
http://3.90.97.16/doc/total.php
http://aquagoat.com/customer
http://blacktiger.com/input
http://bluecow.com/input
http://bluedog.com/submit
http://coraltiger.com/search
http://goldtiger.com/find
http://greentiger.com/submit
http://industryarticleboard.com/evolution
http://industryarticleboard.com/view
http://katawaku.jp/bbs/data/group/group-manager.php
http://maturicafe.com/main
http://pinkgoat.com/input
http://purewatertokyo.com/list
http://purplefrog.com/remove
http://salmonrabbit.com/find
http://toysbagonline.com/reviews
http://whitedragon.com/search
http://www.karin-store.com/data/config/total_manager.php
http://yellowlion.com/remove
https://coralcameleon.com/register
https://industryarticleboard.com/article
https://maturicafe.com/polo
https://maturicafe.com/polo/[Unix
https://salmonrabbit.com/login
https://whitecameleon.com/find
https://whiterabbit.com/input