VSingle malware that obtains C2 server information from GitHub
2022-07-05 • JPCERT •
Recently, the malware used by Lazarus VSingle has been updated to retrieve C2 servers information from GitHub. VSingle malware that obtains C2 server information from GitHub Some types of malware use DGA, obfuscate destination information, or contain fake C2 server information in order to hide the original C2 server. However, when it can not obtain data from them, the malware accesses GitHub to obtain new C2 servers. (Vsingle on Windows OS does not include this update and uses Windows API, not wget command.) While most types of malware in general use system call and/or API to communicate with C2 servers, VSingle dares to execute the wget command, which leaves traces easily.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 2eb16dbc1097a590f07787ab285a013… | 2022-07-05 | 2024-07-25 |
| HASH | 199ba618efc6af9280c5abd86c09cdf… | 2022-07-05 | 2024-07-25 |
| HASH | 414ed95d14964477bebf86dced03067… | 2022-04-27 | 2023-02-09 |
| DOMAIN | semiconductboard.com | 2022-04-27 | 2022-09-08 |
| DOMAIN | tecnojournals.com | 2022-04-27 | 2022-09-08 |
| URL | https://mantis.westlinks.net/ap… | 2022-07-05 | 2022-07-05 |
| URL | https://www.shipshorejob.com/ck… | 2022-07-05 | 2022-07-05 |
| URL | https://tecnojournals.com/prest | 2022-07-05 | 2022-07-05 |
| URL | https://mantis.westlinks.net/ap… | 2022-07-05 | 2022-07-05 |
| URL | https://ougreen.com/zone | 2022-07-05 | 2022-07-05 |
| URL | http://crm.vncgroup.com/cats/sc… | 2022-07-05 | 2022-07-05 |
| DOMAIN | mantis.westlinks.net | 2022-07-05 | 2022-07-05 |
| DOMAIN | crm.vncgroup.com | 2022-07-05 | 2022-07-05 |
| DOMAIN | ougreen.com | 2022-07-05 | 2022-07-05 |
| URL | https://bluedragon.com/login | 2022-04-27 | 2022-07-05 |
| URL | https://semiconductboard.com/xc… | 2022-04-27 | 2022-07-05 |
| URL | https://tecnojournals.com/gener… | 2022-04-27 | 2022-07-05 |
| DOMAIN | bluedragon.com | 2022-04-27 | 2022-07-05 |