Japan faces consistent threat from NK APT Lazarus.
In this particular blog , i will walk you through internals of two malware “VSingle” and “ValeforBeta” used by Unit180 in targeted hacking operations against Japan as like the hacking operations was done by Unit180 in “Operations Dream Job” against Japan where they had used “Torisma” and “LCPDot”. In this campaign also malware were build following similar tactics and techniques.
Static Analysis (Basic)
Static Analysis (Advanced)
Since both of the malware have been almost similar code as what we have been encountered with during our research. In there previous campaign targeting Japan where they had used ‘Torisma” and “LCPDot” for the hacking operations they had been using similar techniques.
Exports in both malware is same.Exports of VSingle and ValeforBeta malware.
This function present in “ValeforBeta” and “VSingle” malware shares similar code to “Torisma” and “LCPDot” in “Operation Dream Job”. As in this function buffer overflow , anti VM and anti analysis checks is being performed using “Bof_with_anti_VM_check” and “buffer_overflow_and_anti_analysis” function. Whereas there is the another function in the “DllEntryPoint” which is “dllmain_dispatch” which is mainly does the anti analysis and anti VM checks for malware.reversed code of DllEntryPoint function of ValeforBeta and VSingle malware.
This function is being used by Unit180 for setting up Buffer Overflow in the victim system and also checking for VM and runs all anti analysis against infected victim system.
This function is also similar to the previous function as it also does the anti VM and anti analysis checks.
Now moving on to function used for setting up server for communication with command and control server (C2) and function for carrying out operations for command and control server.
In this function mainly what happen is that Unit180 developers had used similar technique as we have seen in “Torisma” and “LCPDot”. As they are creating same pipe server for setting up communication with the command and control server (C2). Also in this function some shell command is also being executed using “execute_shell_command” function. After the file operations are being carried out in this function.
for carrying out the operations of command and control server this function is being developed by Unit180 developers.
- Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta) - JPCERT/CC Eyes
- Internals of Lazarus Operation Dream Job
Thanks for reading.