Lazarus APT Targets Japanese Organizations with VSingle and ValeforBeta Malware

Security researchers are observing an ongoing malicious activity launched by the infamous Lazarus APT against Japanese organizations. Most of the infections follow the same routine and rely on VSingle and ValeforBeta malware samples.

VSingle and ValeforBeta Analysis

The latest inquiry by Shusei Tomonaga shows that VSingle malware acts as an HTTP bot designed to download and execute second-stage malicious strains on the targeted instance. Once installed, the malware launches Explorer, hides its nefarious activity with the help of DLL injection, and communicates to the attacker’s command and control (C&C) server to receive further instruction. VSingle functionality is rather simple and allows the malware to download and execute plugins, execute arbitrary code, send additional information, and load files to the machine under attack.

ValeforBeta is also an HTTP bot that obtains even simpler functionality compared to VSingle. ValeforBeta is able to perform code execution, upload or download files from the remote network, and transmit system data to the attackers’ server. 

Both observed malicious strains serve for gaining a foothold and uploading additional attack tools to the infected instance. Notably, during the infection process, Lazarus hackers also apply legitimate 3proxy, Stunnel, and Plink software to establish communications with the attacker’s server, perform basic reconnaissance, and control targeted resources.

Detecting Lazarus Attacks

To defend against malicious activity associated with VSingle and ValeforBeta malware, our active Threat Bounty developer, Emir Erdogan, released a community Sigma rule: https://tdm.socprime.com/tdm/info/VNJk0ZZEmheD/AA2UbngBFLC5HdFVMDc5 

The rule has translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix

EDR: Carbon Black

MITRE ATT&CK: 

Tactics: Execution, Lateral Movement, Command and Control, 

Techniques: Command-Line Interface (T1059), Remote File Copy (T1544)

Actor: Lazarus Group

North-Korean state-sponsored Lazarus APT group is extremely active in launching various malicious campaigns aimed at the financial gain and political intervention. Since 2009, Lazarus has been tied to various loud cybersecurity incidents, including the Sony Pictures breach, Bangladesh Central Bank heist, and WannaCry attack. COVID-19 outbreak expanded the intrusion vectors and the list of targets for the nation-backed actor. Last year the group was involved in attacks against multiple cryptocurrency exchanges and pharmaceutical firms developing vaccines. The year 2021 was marked by malicious operations against aerospace and defense contractors during Operation Dream Job. To identify the malicious activity linked to Lazarus APT and proactively respond to possible cyber-attacks, check dedicated detection content available in Threat Detection Marketplace. 

Searching for the best SOC content compatible with your SIEM, EDR, and NTDR tools in use? Get a free subscription to our Threat Detection Marketplace and reach 100K+ detection and response rules easily convertible to various formats. Enjoy coding and want to contribute to the industry-first SOC content library? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty