Lazarus attacks with new backdoor (Vyveva)

ESET researchers have discovered a new backdoor, which was used to cyberattack on freight in South Africa, which they named Vyveva.

Researchers have attributed the to the infamous Lazarus group due to its similarity to the group's previous operations, as well as the malware used by the group. The backdoor includes several cyberespionage capabilities, such as transferring files and collecting information from the target computer and its drives. Vyveva communicates with the server & Control (C&C) via the Tor network.

ESET telemetry for Vyveva shows that it is a targeted cyber attack, as ESET investigators have identified only two infected machines, which are both servers belonging to the South African company. According to ESET research, Vyveva has been used since at least December 2018.

"Vyveva has a lot of code similarities to older Lazarus Group programs detected by ESET technology. However, the similarities do not stop there: the use of a fake TLS protocol in network communication, how to execute line commands, and the use of encryption services and the Tor network show that we are talking about the Lazarus team. "Therefore, we can very confidently attribute the Vyveva malware to this APT team." ESET, Filip Jurčacko, who analyzed the Lazarus team arsenal.

The backdoor cuts executes commands issued by cybercriminals, such as file and process operations and information gathering. There is also a less commonly seen command for “file timestomping”, which allows the timestamps from a "donor" file to a destination file or using a random date.

Vyveva uses the library Tor to communicate with a C&C server. Communicates with C&C at three-minute intervals, sending information about the infected computer and its drives before receiving orders.

“However, of particular interest are watchdogs used to monitor recently connected and disconnected disks, and a session watchdog that monitors the number of active sessions, such as logged-in users. These items can cause with the C&C server outside the predefined three-minute interval," explains Jurčacko.

You can read more technical details about Vyveva in the blog post “(Are you) afraid of the dark?"

Overview of the structure of Vyveva

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.082 registrants.

backdoor cutslazarusVyveva

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).