Unit180 (Lazarus) targets Japan!
Contents
Japan faces consistent threat from NK APT Lazarus.
Introduction
In this particular blog , i will walk you through internals of two malware “VSingle” and “ValeforBeta” used by Unit180 in targeted hacking operations against Japan as like the hacking operations was done by Unit180 in “Operations Dream Job” against Japan where they had used “Torisma” and “LCPDot”. In this campaign also malware were build following similar tactics and techniques.
Analysis
Static Analysis (Basic)
File Information of VSingle Malware.
File Information of ValeForBeta Malware.
Static Analysis (Advanced)
Since both of the malware have been almost similar code as what we have been encountered with during our research. In there previous campaign targeting Japan where they had used ‘Torisma” and “LCPDot” for the hacking operations they had been using similar techniques.
Exports in both malware is same.
Exports of VSingle and ValeforBeta malware.
DllEntryPoint function
This function present in “ValeforBeta” and “VSingle” malware shares similar code to “Torisma” and “LCPDot” in “Operation Dream Job”. …
Introduction
In this particular blog , i will walk you through internals of two malware “VSingle” and “ValeforBeta” used by Unit180 in targeted hacking operations against Japan as like the hacking operations was done by Unit180 in “Operations Dream Job” against Japan where they had used “Torisma” and “LCPDot”. In this campaign also malware were build following similar tactics and techniques.
Analysis
Static Analysis (Basic)
File Information of VSingle Malware.
File Information of ValeForBeta Malware.
Static Analysis (Advanced)
Since both of the malware have been almost similar code as what we have been encountered with during our research. In there previous campaign targeting Japan where they had used ‘Torisma” and “LCPDot” for the hacking operations they had been using similar techniques.
Exports in both malware is same.
Exports of VSingle and ValeforBeta malware.
DllEntryPoint function
This function present in “ValeforBeta” and “VSingle” malware shares similar code to “Torisma” and “LCPDot” in “Operation Dream Job”. …