North Korea-backed Lazarus hacker group has been spotted using a previously undocumented malware with backdoor capabilities in attacks targeting a freight logistics company in South Africa.
Dubbed Vyveva, the malware was first observed in a June 2020 attack, however, it appears that Lazarus has been using the malware since at least December 2018, according to ESET researchers who discovered this threat.
So far, ESET found only two victim machines, both of which were servers owned by a freight logistics company located in South Africa, but it is possible that the backdoor may have been used in other targeted cyber-espionage campaigns carried out by Lazarus.
The researchers said that the attribution to the North Korea-linked hackers was made based on multiple code similarities between Vyveva and older Lazarus samples, namely the NukeSped malware family.
“However, the similarities do not end there: the use of fake TLS in network communication, command line execution chains, and the way of using encryption and Tor services all point towards Lazarus; hence we can attribute Vyveva to this APT group with high confidence,” the researchers wrote in a report.
While ESET has not been able to identify the initial compromise vector, they discovered three of the multiple components comprising Vyveva – its installer, loader and backdoor. The installer creates a service that ensures persistence of the backdoor loader, and it also stores the embedded, default backdoor configuration in the registry, while the loader serves to decrypt the backdoor using a simple XOR decryption algorithm.
As for the backdoor itself, it comes with support for file exfiltration, timestomping, gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators.
The backdoor is able to connect to the attackers’ command and control server and execute 23 commands, most of which are ordinary commands for file and process operations or information gathering, ESET said.
“Of particular interest are the backdoor’s watchdogs, which can be optionally enabled or disabled. There is a drive watchdog used to monitor newly connected and disconnected drives, and a session watchdog monitoring the number of active sessions (i.e. logged-on users). These components can trigger a connection to the C&C server outside the regular, preconfigured three-minute interval, and on new drive and session events,” according to the security firm.
To communicate with a C&C server, Vyveva uses the Tor library, which is based on the official Tor source code. It contacts the C&C every three minutes, sending information about the victim computer and its drives before receiving commands.
“Vyveva constitutes yet another addition to Lazarus’s extensive malware arsenal. Attacking a company in South Africa also illustrates the broad geographical targeting of this APT group,” the researchers concluded.