Threat Research

YamaBot Malware Used by Lazarus – JPCERT/CC Eyes

admin

YamaBot, linked to Lazarus, targets both Linux and Windows with HTTP-based C2 communication and RC4-based encoding for configuration and commands. The report details Linux and Windows variants, their C2 interactions, commands, and the infrastructure and hashes associated with this activity. #YamaBot #Lazarus #JPCERTCC #Windows #Linux

Keypoints

  • Lazarus continues to use YamaBot, with variants targeting Linux (Kaos) and Windows OSs, described in JPCERT/CC research.
  • YamaBot communicates with its C2 server via HTTP requests, including an initial HTTP POST with a Base64-encoded User-Agent.
  • Configuration and commands are RC4-encrypted and Base64-encoded, with the RC4 key derived from MD5 data related to the target.
  • The malware collects system information (hostname, username, MAC address, OS version) and IP address, which is sent to the C2 in an encoded form.
  • Windows variants implement mutex-based single-instance behavior and a Windows-specific command set; Linux variants use /bin/sh for shell commands.
  • The C2 infrastructure includes three endpoints and two sample hashes, with some payloads disguised as BMP data when large.

MITRE Techniques

  • [T1071.001] Web Protocols – The malware uses HTTP to communicate with C2 servers. Quote: (‘YamaBot communicates with the C2 server using HTTP requests. The following is the first HTTP POST request sent by YamaBot.’)
  • [T1059.003] Windows Command Shell – Windows variant implements commands such as dir, Mapfs, Download, Info, Sleep, Uninstall, i. Quote: (‘The Windows OS version have multiple commands implemented as follows: dir: Get the file list; Mapfs: Get the directory list; Download: Download file.’)
  • [T1059.004] Unix Shell – Linux variant executes shell commands via /bin/sh. Quote: (‘The malware targeting Linux OS can only execute shell commands by /bin/sh.’)
  • [T1082] System Information Discovery – The malware collects OS information and IP address as part of initial data. Quote: (‘The first data sent by captcha_val is OS information and IP address.’)
  • [T1132.001] Data Encoding – Captcha sessions/values are RC4-encrypted and Base64-encoded. Quote: (‘The captcha_session contains a randomly generated string and a RC4 key ([random characters (16 bytes)][RC4 key (16 bytes)][random characters (4 bytes)]), Base64-encoded.’)

Indicators of Compromise

  • [Domain] C2 domains – karin-store.com, yoshinorihirano.net
  • [IP Address] C2 server IP – 213.180.180.154
  • [URL] C2 endpoints – http://www.karin-store.com/recaptcha.php, http://yoshinorihirano.net/wp-includes/feed-xml.php, http://213.180.180.154/editor/session/aaa000/support.php
  • [Hash] Malware hashes – f226086b5959eb96bd30dec0ffcbf0f09186cd11721507f416f1c39901addafb, 6db57bbc2d07343dd6ceba0f53c73756af78f09fe1cb5ce8e8008e5e7242eae1

Read more: https://blogs.jpcert.or.jp/en/2022/07/yamabot.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint