vSingle is abusing GitHub to communicate with the C2 server
Criminals have used various methods to obfuscate a malware’s internals: its information, C2 configuration, TTP, etc. In particular, Lazarus' advanced persistent threat (APT) operations are characterized by using malware specially crafted for attacking financial institutions, espionage, and disruptive purposes. Several campaigns have been carried out against the U.S., Israel and other countries as part of offensive and massive attacks by the Lazarus group.
Technical details
A few weeks ago, the vSingle malware from the Lazarus arsenal was updated with many features, including a command and control (C&C) method based on GitHub pages. vSingle traditionally appears in the form of a PE file (.exe) that loads into the memory of a target DLL. vSingle is a multi-architecture malware, distributed both for Windows and Linux operating systems, as shown below.
Figure 1: ELF VSingle (Linux) and VSingle Windows version
Obfuscation routine
This malware uses a simple XOR to obfuscate its strings with a fixed key. In Figure 2 below, we see the key “o2pq0qy4ymcrbe4s” is used to deobfuscate the malware string in runtime.
Figure 2: String obfuscation of vSingle malware
Some vSingle plain-text strings can be seen in the next table.
[+] Download Result
[+] Upload Result
[+] Upload Parameter Error
[+] Interval Interval was set to
[+] Plugin Download Result
[+] Update
[+] Info
[+] Uninstall Valefor was uninstalled successfully.
[+] Executable Download Result
[+] Executable Download Parameter Error
[+] Plugin Execute ResultMalware commands
VSingle is released by Lazarus APT with eight internal commands, namely:
- file upload
- communication interval
- execute shell commands
- download and execute the malware plugins
- update itself
- malware information transmission
- uninstall itself
- file download
In addition, vSingle uses four types of plugins that can be downloaded into the target machines and executed, including:
- Windows executable (saved as a .tmp file)
- VBS file (saved as a .vbs file)
- BAT file (saved as .bat file); and
- Shellcode format
VSingle GitHub C2 communication
The latest release of this malware takes advantage of several GitHub repositories to perform its operation. Figure 3 below highlights the new feature published by JPCERT/CC analysis.
Figure 3: High-level diagram of VSingle malware (source)
The first packet sent to the C2 server has two PHP parameters, uid and upw. The first one contains a hash value of the target hostname, kernel release number, and IP address. The upw contains a Base64-encoded string of "[IP address]|30.0|12b"
Figure 4: First communication of vSingle malware
The data received from the C2 server, including the RC4 key, are stored in the /tmp directory (/tmp/.sess_%08x), as illustrated in Figure 3.
The GitHub endpoints are generated dynamically during the malware execution. According to the JPCERT/CC analysis, the username and repository used by the malware are obtained from this list during the execution.
(source)
The values are then replaced in the following path:
https://raw.githubusercontent.com/%s/%s/master/README.deFinally, inside the GitHub pages, other endpoints can be obtained during the malware execution, probably the final C2 where data is sent, and the commands received.
Figure 5: vSingle — final C2 endpoint on GitHub repository
Learn Vulnerability Management
Final thoughts
Malware tactics, techniques and procedures are constantly changing. With this approach, Lazarus groups pretend to be away from the cybersecurity radar and extend their threats' life-cycle. Because GitHub is a legitimate source, identifying this kind of traffic as suspicious can be challenging.
Internet traffic should be limited to known sources if possible and monitored as well. Host-based security via EDR and AV systems should also be considered the key to identifying, blocking and tracking cyber threats early.
Sources:
- Lazarus operation, Infosec Institute
- VSingle analysis, JPCERT/CC
- Lazarus malware, JPCERT/CC
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- vSingle is abusing GitHub to communicate with the C2 server
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
