ESET researchers have discovered a new backdoor, which was used for a cyber attack on a freight company in South Africa, which they named Vyveva.
The researchers attributed the malware to the famous Lazarus team because of its resemblance to the group's previous operations, as well as to the malware used by that team. Backdoor includes several cyber espionage capabilities, such as transferring files and gathering information from the target computer and its drives. Vyveva communicates with the Command & Control (C&C) server over the Tor network.
ESET's telemetry for Vyveva indicates that this is a targeted cyberattack, as ESET researchers have identified only two infected machines, both of which are servers owned by the South African company. According to research by ESET, Vyveva has been in use since at least December 2018.
“Vyveva has many code similarities to older proletterτα της ομάδας Lazarus που εντοπίστηκαν από την τεχνολογία της ESET. Ωστόσο, οι ομοιότητες δεν σταματούν εκεί: η χρήση ενός ψεύτικου πρωτοκόλλου TLS σε επικοινωνία δικτύου, ο τρόπος εκτέλεσης orders line and the use of encryption services and the Tor network indicate that we are talking about the Lazarus group. Therefore, we can very confidently attribute the Vyveva malware to this APT group,” says its researcher ESET, Filip Jurčacko, who analyzed the Lazarus team arsenal.
The backdoor cuts executes commands issued by cybercriminals, such as file operations and bwork and information gathering. There is also a less commonly seen command for “file timestomping”, which allows copying timestamps from a “donor” file to a destination file or using a random date.
Vyveva uses the library Tor to communicate with a C&C server. It communicates with C&C at three-minute intervals, sending information about the infected computer and its drives before receiving commands.
Of particular interest, however, are watchdogs used to track recently connected and disconnected discs, and a session watchdog that monitors the number of active sessions, such as logged-in users. "This information can connect to the C&C server outside of the predefined three-minute interval," Jurčacko explains.
You can read more technical details about Vyveva in the blog post “(Are you) afraid of the dark?"
Overview of the structure of Vyveva