Lazarus attacks with new backdoor (Vyveva)

ESET researchers have discovered a new backdoor, which was used for a cyber attack on a freight company in South Africa, which they named Vyveva.

The researchers attributed the malware to the famous Lazarus team because of its resemblance to the group's previous operations, as well as to the malware used by that team. Backdoor includes several cyber espionage capabilities, such as transferring files and gathering information from the target computer and its drives. Vyveva communicates with the Command & Control (C&C) server over the Tor network.

ESET's telemetry for Vyveva indicates that this is a targeted cyberattack, as ESET researchers have identified only two infected machines, both of which are servers owned by the South African company. According to by ESET, Vyveva has been in use since at least December 2018.

“Vyveva has many code similarities to older proτα της ομάδας Lazarus που εντοπίστηκαν από την τεχνολογία της ESET. Ωστόσο, οι ομοιότητες δεν σταματούν εκεί: η χρήση ενός ψεύτικου πρωτοκόλλου TLS σε επικοινωνία δικτύου, ο τρόπος εκτέλεσης line and the use of encryption services and the Tor network indicate that we are talking about the Lazarus group. Therefore, we can very confidently attribute the Vyveva malware to this APT group,” says its researcher ESET, Filip Jurčacko, who analyzed the Lazarus team arsenal.

The backdoor cuts executes commands issued by cybercriminals, such as file operations and b and information gathering. There is also a less commonly seen command for “file timestomping”, which allows copying timestamps from a “donor” file to a destination file or using a random date.

Vyveva uses the library Tor to communicate with a C&C server. It communicates with C&C at three-minute intervals, sending about the infected computer and its drives before receiving commands.

Of particular interest, however, are watchdogs used to track recently connected and disconnected discs, and a session watchdog that monitors the number of active sessions, such as logged-in users. "This information can connect to the C&C server outside of the predefined three-minute interval," Jurčacko explains.

You can read more technical details about Vyveva in the blog post “(Are you) afraid of the dark?"

Overview of the structure of Vyveva

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.082 registrants.

backdoor cutslazarusVyveva

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).