Unit180 (Lazarus) targets Japan!

Japan faces consistent threat from NK APT Lazarus.

Introduction

In this particular blog , i will walk you through internals of two malware “VSingle” and “ValeforBeta” used by Unit180 in targeted hacking operations against Japan as like the hacking operations was done by Unit180 in “Operations Dream Job” against Japan where they had used “Torisma” and “LCPDot”. In this campaign also malware were build following similar tactics and techniques.

Analysis

File Information of VSingle Malware.
File Information of ValeForBeta Malware.

Since both of the malware have been almost similar code as what we have been encountered with during our research. In there previous campaign targeting Japan where they had used ‘Torisma” and “LCPDot” for the hacking operations they had been using similar techniques.

Exports in both malware is same.

Exports of VSingle and ValeforBeta malware.

DllEntryPoint function

This function present in “ValeforBeta” and “VSingle” malware shares similar code to “Torisma” and “LCPDot” in “Operation Dream Job”. As in this function also same function is being used for buffer overflow mitigation & calculating stack cookies using “calc_stack_canary_cookie_and_bof_mitigation” function. Whereas there is the another function in the “DllEntryPoint” which is “dllmain_dispatch” which is mainly does the anti analysis and anti VM checks for malware.

reversed code of DllEntryPoint for ValeforBeta and VSingle malware.
Disassembly call graph of ValeforBeta and VSingle malware.

calc_stack_canary_cookie_and_bof_mitigation function

This function is generally used in the compiled windows executable by compiler for calculating stack canary cookies and buffer overflows mitigation's.

call graph and reversed code of calc_stack_canary_cookie_and_bof_mitigation function.

dllmain_dispatch function

This function is also similar to the previous function as it also does the anti VM and anti analysis checks.

code of dllmain_dispatch function.

Now moving on to function used for setting up server for communication with command and control server (C2) and function for carrying out operations for command and control server.

StartAddress function

In this function mainly what happen is that Unit180 developers had used similar technique as we have seen in “Torisma” and “LCPDot”. As they are creating same pipe server for setting up communication with the command and control server (C2). Also in this function some shell command is also being executed using “execute_shell_command” function. After the file operations are being carried out in this function.

code of StartAddress function.

command_and_control_ops function

for carrying out the operations of command and control server this function is being developed by Unit180 developers.

code of command_and_control_ops function.

References:

Thanks for reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store