Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta)
2021-03-22 • JPCERT •
JPCERT/CC describes Lazarus activity against Japanese organizations using the VSingle and ValeforBeta HTTP bot families. VSingle runs through Explorer DLL injection in some samples, decodes obfuscated strings with a fixed XOR key, communicates with C2 over HTTP GET requests that include Base64-encoded host data, and can execute commands or download PE, VBS, BAT and shellcode plugins. ValeforBeta is a Delphi HTTP bot that uploads, downloads and executes commands through POST traffic disguised with cookie-based host information and BMP-like command results. The report provides C2 examples such as maturicafe.com and 3.90.97.16 and details proxy support, configuration fields and command sets for detection.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | purewatertokyo.com | 2021-03-22 | 2022-11-15 |
| DOMAIN | salmonrabbit.com | 2021-03-22 | 2022-11-15 |
| DOMAIN | pinkgoat.com | 2021-03-22 | 2022-11-15 |
| HASH | eb846bb491bea698b99eab80d58fd1f… | 2021-03-22 | 2021-05-21 |
| URL | http://yellowlion.com/remove | 2021-03-22 | 2021-05-21 |
| URL | http://pinkgoat.com/input | 2021-03-22 | 2021-05-21 |
| URL | http://bluecow.com/input | 2021-03-22 | 2021-05-21 |
| URL | http://purewatertokyo.com/list | 2021-03-22 | 2021-05-21 |
| URL | http://toysbagonline.com/reviews | 2021-03-22 | 2021-05-21 |
| URL | http://salmonrabbit.com/find | 2021-03-22 | 2021-05-21 |
| DOMAIN | yellowlion.com | 2021-03-22 | 2021-05-21 |
| DOMAIN | toysbagonline.com | 2021-03-22 | 2021-05-21 |
| DOMAIN | bluecow.com | 2021-03-22 | 2021-05-21 |
| HASH | 487c1bdb65634a794fa5e359c383c94… | 2021-03-22 | 2021-03-22 |
| URL | http://aquagoat.com/customer | 2021-03-22 | 2021-03-22 |
| URL | http://greentiger.com/submit | 2021-03-22 | 2021-03-22 |
| URL | https://whiterabbit.com/input | 2021-03-22 | 2021-03-22 |
| URL | https://coralcameleon.com/regis… | 2021-03-22 | 2021-03-22 |
| URL | http://coraltiger.com/search | 2021-03-22 | 2021-03-22 |
| URL | https://industryarticleboard.co… | 2021-03-22 | 2021-03-22 |
| URL | http://whitedragon.com/search | 2021-03-22 | 2021-03-22 |
| URL | http://www.karin-store.com/data… | 2021-03-22 | 2021-03-22 |
| URL | https://maturicafe.com/polo | 2021-03-22 | 2021-03-22 |
| URL | http://industryarticleboard.com… | 2021-03-22 | 2021-03-22 |
| URL | http://blacktiger.com/input | 2021-03-22 | 2021-03-22 |
| URL | http://purplefrog.com/remove | 2021-03-22 | 2021-03-22 |
| URL | http://maturicafe.com/main | 2021-03-22 | 2021-03-22 |
| URL | https://salmonrabbit.com/login | 2021-03-22 | 2021-03-22 |
| URL | http://bluedog.com/submit | 2021-03-22 | 2021-03-22 |
| URL | https://whitecameleon.com/find | 2021-03-22 | 2021-03-22 |
| URL | http://industryarticleboard.com… | 2021-03-22 | 2021-03-22 |
| URL | http://goldtiger.com/find | 2021-03-22 | 2021-03-22 |
| URL | http://katawaku.jp/bbs/data/gro… | 2021-03-22 | 2021-03-22 |
| DOMAIN | katawaku.jp | 2021-03-22 | 2021-03-22 |
| DOMAIN | bluedog.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | goldtiger.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | whitecameleon.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | aquagoat.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | maturicafe.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | whiterabbit.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | industryarticleboard.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | greentiger.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | coraltiger.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | blacktiger.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | coralcameleon.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | purplefrog.com | 2021-03-22 | 2021-03-22 |
| DOMAIN | whitedragon.com | 2021-03-22 | 2021-03-22 |
| IPv4 | 1.9.1.5 | 2021-03-22 | 2021-03-22 |
| IPv4 | 3.90.97.16 | 2021-03-22 | 2021-03-22 |