VSingle And ValeforBeta Malware By Lazarus targeting Japanese

This Post, we will introduce the malware (VSingle, ValeforBeta) used in the attack operation of the attack group Lazarus confirmed in Japan, and the tools used inside the intruded network.

Overview of

is an HTTP bot that has the ability to execute arbitrary code remotely. The malware also has the ability to download and run plugins.
After starting, this malware runs Explorer, injects the main code that communicates, etc. into a DLL, and then executes it (some samples that do not perform DLL injection have been confirmed). In addition, we have confirmed that the following PDB path is included in the main code.


The following describes the character string obfuscation, communication method, and functions of VSingle.

string obfuscation

obfuscates many of the strings used in the specimen.

The following image shows the code that unobfuscates the string. Decodes an XOR-obfuscated string using a fixed key (o2pq0qy4ymcrbe4s).


The following is a part of the character string after deobfuscation.

[+] Download Parameter Error
[+] Download Result
[+] Upload Result
[+] Upload Parameter Error
[+] Interval Interval was set to
[+] Plugin Download Result
[+] Update
[+] Info
[+] Uninstall Valefor was uninstalled successfully.
[+] Executable Download Result
[+] Executable Download Parameter Error
[+] Plugin Execute Result

Functions of VSingle

The functionality of VSingle is simple, with only eight as shown in Table 1.

Command number Content
1 File upload
2 Communication interval setting
3 Execute any shell command
4 Download / execute the plug-in
5 update
6 Malware information transmission
7 Uninstall
8 File download

There are four types of plug-ins that can be executed:

· Windows executable (saved as a .tmp file)
· VBS file (saved as a .vbs file)
· BAT file (saved as .bat file)
· Shellcode format

Overview of Vale for Beta

ValeforBeta is an HTTP bot written in Delphi that has even less functionality than VSingle, and has only the ability to upload and download files, other than the ability to execute arbitrary code remotely.
The following describes the setting information, communication method, and functions of Vale for Beta.

Vale for Beta configuration information

The following image shows the code that loads the Vale for Beta configuration information. In addition to the communication destination, the setting information includes the sample ID (“512”), communication type, communication interval, and so on.


There are three types of communication as follows.

· Direct connection (INTERNET_OPEN_TYPE_DIRECT)
· Use default settings (INTERNET_OPEN_TYPE_PRECONFIG)
· Connect via proxy (INTERNET_OPEN_TYPE_PROXY)

Vale for Beta features

ValeforBeta has only 6 features, as shown in Table 2.

Command number content
1 File download
2 File upload
3 Execute any shell command
4 Uninstall (cmd / c ping -n 4> NUL & echo VFB> execute “localhost”)
6 Sleep Time settings
7 Send system information

Tools used inside the network

This attack operation confirms that you are using the following tools: The attacker used the following tools to relay communications on the infected host:

· 3Proxy
· Stunnel
· Plink