VSingle malware that obtains C2 server information from GitHub
Contents
VSingle malware that obtains C2 server information from GitHub
Some types of malware use DGA, obfuscate destination information, or contain fake C2 server information in order to hide the original C2 server. Others obtain C2 server information from legitimate servers. Recently, the malware used by Lazarus VSingle has been updated to retrieve C2 servers information from GitHub. This article focuses on the updates of VSingle. VSingle has two versions, one targeting Windows OS and the other targeting Linux OS, and this article is based on the latter, which has more updates.
Overview of VSingle
VSingle has threehard-coded C2 servers. However, when it can not obtain data from them, the malware accesses GitHub to obtain new C2 servers. Figure 1 shows the operation flow of VSingle.
The first communication sends the following data.
uid contains a hashed value of the hostname, kernel release number, and an octet of IP address combined.
upw contains a Base64-encoded string of …
Some types of malware use DGA, obfuscate destination information, or contain fake C2 server information in order to hide the original C2 server. Others obtain C2 server information from legitimate servers. Recently, the malware used by Lazarus VSingle has been updated to retrieve C2 servers information from GitHub. This article focuses on the updates of VSingle. VSingle has two versions, one targeting Windows OS and the other targeting Linux OS, and this article is based on the latter, which has more updates.
Overview of VSingle
VSingle has threehard-coded C2 servers. However, when it can not obtain data from them, the malware accesses GitHub to obtain new C2 servers. Figure 1 shows the operation flow of VSingle.
The first communication sends the following data.
uid contains a hashed value of the hostname, kernel release number, and an octet of IP address combined.
upw contains a Base64-encoded string of …
IoC
199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1
2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc
414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7
http://crm.vncgroup.com/cats/scripts/sphinxview.php
https://bluedragon.com/login
https://github.com/bgrav1ty13j/bPanda3
https://github.com/fwo0d17n/fWr0te
https://github.com/gf00t18p/gpick/
https://github.com/glucky18p/gluxuryboy
https://github.com/jv0siej21g/jlaz3rpik
https://mantis.westlinks.net/api/soap/mc_enum.php
https://mantis.westlinks.net/api/soap/mc_enum.php?uid=15022694&jsid=[AES
https://mantis.westlinks.net/api/soap/mc_enum.php?uid=15022694&upw=MTkyLjE2OC4yLjI0fDMwLjB8MTJi\
https://mantis.westlinks.net/api/soap/mc_enum.php?uid=
https://ougreen.com/zone
https://semiconductboard.com/xcror
https://tecnojournals.com/general
https://tecnojournals.com/prest
https://www.shipshorejob.com/ckeditor/samples/samples.php
2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc
414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7
http://crm.vncgroup.com/cats/scripts/sphinxview.php
https://bluedragon.com/login
https://github.com/bgrav1ty13j/bPanda3
https://github.com/fwo0d17n/fWr0te
https://github.com/gf00t18p/gpick/
https://github.com/glucky18p/gluxuryboy
https://github.com/jv0siej21g/jlaz3rpik
https://mantis.westlinks.net/api/soap/mc_enum.php
https://mantis.westlinks.net/api/soap/mc_enum.php?uid=15022694&jsid=[AES
https://mantis.westlinks.net/api/soap/mc_enum.php?uid=15022694&upw=MTkyLjE2OC4yLjI0fDMwLjB8MTJi\
https://mantis.westlinks.net/api/soap/mc_enum.php?uid=
https://ougreen.com/zone
https://semiconductboard.com/xcror
https://tecnojournals.com/general
https://tecnojournals.com/prest
https://www.shipshorejob.com/ckeditor/samples/samples.php