ESET researchers have discovered a new backdoor, used in a cyberattack on a freight company in South Africa, which they named Vyveva.
Οι ερευνητές έχουν αποδώσει το κακόβουλο λογισμικό στην περίφημη ομάδα Lazarus λόγω ομοιότητάς του με τις προηγούμενες επιχειρήσεις της ομάδας, καθώς και με το κακόβουλο λογισμικό που χρησιμοποιεί η συγκεκριμένη ομάδα. Το backdoor περιλαμβάνει αρκετές δυνατότητες κυβερνοκατασκοπείας, όπως μεταφορά αρχείων και συλλογή πληροφοριών από τον υπολογιστή στόχο και τις μονάδες δίσκου του. Το Vyveva επικοινωνεί με το διακομιστή Command & Control (C&C) through the Tor network.
ESET telemetry for Vyveva shows that it is a targeted cyber attack, as ESET investigators have identified only two infected machines, which are both servers belonging to the South African company. According to ESET research, Vyveva has been used since at least December 2018.
"Vyveva has a lot of code similarities to older Lazarus Group programs detected by ESET technology. However, the similarities do not stop there: the use of a fake TLS protocol in network communication, how to execute line commands, and the use of encryption services and the Tor network show that we are talking about the Lazarus team. "Therefore, we can very confidently attribute the Vyveva malware to this APT team." ESET, Filip Jurčacko, who analyzed the Lazarus team arsenal.
The backdoor cuts executes commands issued by cybercriminals, such as file and process functions and information gathering. There is also a less common "file timestomping" command that allows you to copy timestamps from a "donor" file to a destination file or use a random date.
Vyveva uses the library Tor to communicate with a C&C server. Communicates with C&C at three-minute intervals, sending information about the infected computer and its drives before receiving orders.
“However, of particular interest are the watchdogs used to monitor attached disks recently and logged out, and a session watchdog that monitors the number of active sessions, such as logged in users. These elements can cause a connection to the C&C server outside of the predefined three-minute interval," explains Jurčacko.
You can read more technical details about Vyveva in the blog post “(Are you) afraid of the dark?"
Overview of the structure of Vyveva
