ESET researchers have discovered a new backdoor, which was used to cyberattack on company freight in South Africa, which they named Vyveva.
Researchers have attributed the malware to the infamous Lazarus group due to its similarity to the group's previous operations, as well as the malware used by the group. The backdoor includes several cyberespionage capabilities, such as transferring files and collecting information from the target computer and its drives. Vyveva communicates with the server Command & Control (C&C) via the Tor network.
ESET telemetry for Vyveva shows that it is a targeted cyber attack, as ESET investigators have identified only two infected machines, which are both servers belonging to the South African company. According to ESET research, Vyveva has been used since at least December 2018.
"Vyveva has a lot of code similarities to older Lazarus Group programs detected by ESET technology. However, the similarities do not stop there: the use of a fake TLS protocol in network communication, how to execute line commands, and the use of encryption services and the Tor network show that we are talking about the Lazarus team. "Therefore, we can very confidently attribute the Vyveva malware to this APT team." ESET, Filip Jurčacko, who analyzed the Lazarus team arsenal.
The backdoor cuts executes commands issued by cybercriminals, such as file and process operations and information gathering. There is also a less commonly seen command for “file timestomping”, which allows the copy timestamps from a "donor" file to a destination file or using a random date.
Vyveva uses the library Tor to communicate with a C&C server. Communicates with C&C at three-minute intervals, sending information about the infected computer and its drives before receiving orders.
“However, of particular interest are watchdogs used to monitor recently connected and disconnected disks, and a session watchdog that monitors the number of active sessions, such as logged-in users. These items can cause connection with the C&C server outside the predefined three-minute interval," explains Jurčacko.
You can read more technical details about Vyveva in the blog post “(Are you) afraid of the dark?"
Overview of the structure of Vyveva