lazarus

VSingle And ValeforBeta Malware By Lazarus targeting Japanese

This Post, we will introduce the malware (VSingle, ValeforBeta) used in the attack operation of the attack group Lazarus confirmed in Japan, and the tools used inside the intruded network.

Overview of

is an HTTP bot that has the ability to execute arbitrary code remotely. The malware also has the ability to download and run plugins.
After starting, this malware runs Explorer, injects the main code that communicates, etc. into a DLL, and then executes it (some samples that do not perform DLL injection have been confirmed). In addition, we have confirmed that the following PDB path is included in the main code.

G:\Valefor\Valefor_Single\Release\.pdb

The following describes the character string obfuscation, communication method, and functions of VSingle.

string obfuscation

obfuscates many of the strings used in the specimen.

The following image shows the code that unobfuscates the string. Decodes an XOR-obfuscated string using a fixed key (o2pq0qy4ymcrbe4s).

vsingle

The following is a part of the character string after deobfuscation.

[+] Download Parameter Error
[+] Download Result
[+] Upload Result
[+] Upload Parameter Error
[+] Interval Interval was set to
[+] Plugin Download Result
[+] Update
[+] Info
[+] Uninstall Valefor was uninstalled successfully.
[+] Executable Download Result
[+] Executable Download Parameter Error
[+] Plugin Execute Result

Functions of VSingle

The functionality of VSingle is simple, with only eight as shown in Table 1.

Command number Content
1 File upload
2 Communication interval setting
3 Execute any shell command
4 Download / execute the plug-in
5 update
6 Malware information transmission
7 Uninstall
8 File download

There are four types of plug-ins that can be executed:

· Windows executable (saved as a .tmp file)
· VBS file (saved as a .vbs file)
· BAT file (saved as .bat file)
· Shellcode format

Overview of Vale for Beta

ValeforBeta is an HTTP bot written in Delphi that has even less functionality than VSingle, and has only the ability to upload and download files, other than the ability to execute arbitrary code remotely.
The following describes the setting information, communication method, and functions of Vale for Beta.

Vale for Beta configuration information

The following image shows the code that loads the Vale for Beta configuration information. In addition to the communication destination, the setting information includes the sample ID (“512”), communication type, communication interval, and so on.

valeforbeta

There are three types of communication as follows.

· Direct connection (INTERNET_OPEN_TYPE_DIRECT)
· Use default settings (INTERNET_OPEN_TYPE_PRECONFIG)
· Connect via proxy (INTERNET_OPEN_TYPE_PROXY)

Vale for Beta features

ValeforBeta has only 6 features, as shown in Table 2.

Command number content
1 File download
2 File upload
3 Execute any shell command
4 Uninstall (cmd / c ping -n 4 127.0.0.1> NUL & echo VFB> execute “localhost”)
6 Sleep Time settings
7 Send system information

Tools used inside the network

This attack operation confirms that you are using the following tools: The attacker used the following tools to relay communications on the infected host:

· 3Proxy
· Stunnel
· Plink

IOCs

http://aquagoat.com/customer
http://blacktiger.com/input
http://bluedog.com/submit
http://coraltiger.com/search
http://goldtiger.com/find
http://greentiger.com/submit
http://industryarticleboard.com/evolution
http://industryarticleboard.com/view
http://maturicafe.com/main
http://purplefrog.com/remove
http://whitedragon.com/search
https://coralcameleon.com/register
https://industryarticleboard.com/article
https://maturicafe.com/polo
https://salmonrabbit.com/login
https://whitecameleon.com/find
https://whiterabbit.com/input
http://toysbagonline.com/reviews
http://purewatertokyo.com/list
http://pinkgoat.com/input
http://yellowlion.com/remove
http://salmonrabbit.com/find
http://bluecow.com/input
http://www.karin-store.com/data/config/total_manager.php
http://katawaku.jp/bbs/data/group/group-manager.php
http://3.90.97.16/doc/total.php


282d74d4f4ecd1a539d5838e3b2d2c60
01c13144ea9d9728500dc6c067bab899
abfe86de2204db091d2317d962adbfeda59e8b87
49b22529fec0c372b08e2afe67eccde13b3ab6cc
487c1bdb65634a794fa5e359c383c94945ce9f0806fcad46440e919ba0e6166e
eb846bb491bea698b99eab80d58fd1f2530b0c1ee5588f7ea02ce0ce209ddb60