ESET researchers have discovered a new backdoor, which was used for a cyber attack on a freight company in South Africa, which they named Vyveva.
The researchers attributed the malware to the famous Lazarus team because of its resemblance to the group's previous operations, as well as to the malware used by that team. Backdoor includes several cyber espionage capabilities, such as transferring files and gathering information from the target computer and its drives. Vyveva communicates with the Command & Control (C&C) server over the Tor network.
ESET telemetry for Vyveva shows that it is a targeted cyber attack, as ESET investigators have identified only two infected machines, which are both servers belonging to the South African company. According to ESET research, Vyveva has been used since at least December 2018.
"Vyveva has a lot of code similarities to older Lazarus Group programs detected by ESET technology. However, the similarities do not stop there: the use of a fake TLS protocol in network communication, how to execute line commands, and the use of encryption services and the Tor network show that we are talking about the Lazarus team. "Therefore, we can very confidently attribute the Vyveva malware to this APT team." ESET, Filip Jurčacko, who analyzed the Lazarus team arsenal.
The backdoor executes commands issued by cybercriminals, such as file and process functions and information gathering. There is also a less common "file timestomping" command that allows you to copy timestamps from a "donor" file to a destination file or use a random date.
Vyveva uses the library Tor to communicate with a C&C server. Communicates with C&C at three-minute intervals, sending information about the infected computer and its drives before receiving orders.
Of particular interest, however, are watchdogs used to track recently connected and disconnected discs, and a session watchdog that monitors the number of active sessions, such as logged-in users. "This information can connect to the C&C server outside of the predefined three-minute interval," Jurčacko explains.
You can read more technical details about Vyveva in the blog post “(Are you) afreight of the dark?"
Overview of the structure of Vyveva