ESET researchers have discovered a previously undocumented backdoor used to attack a freight logistics company in South Africa, which they have dubbed Vyveva. They have attributed the malware to the infamous Lazarus group due to shared similarities with the group’s previous operations and samples.
The backdoor includes several cyber-espionage capabilities, such as file exfiltration and gathering information about the targeted computer and its drives. It communicates with its Command & Control (C&C) server via the Tor anonymity network.
ESET telemetry for Vyveva suggests targeted deployment as ESET researchers have found only two victim machines, both of which are servers owned by the aforementioned South African logistics company. According to the ESET investigation, Vyveva has been in use since at least December 2018.
“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology. However, the similarities do not end there: the use of a fake TLS protocol in network communication, command line execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence,” says ESET researcher Filip Jurčacko, who analyzed the discovered Lazarus arsenal.
The backdoor executes commands issued by the threat actors, like file and process operations and information gathering. There is also a less commonly seen command for file timestomping, which allows copying timestamps from a “donor” file to a destination file or use of a random date.
Vyveva uses the Tor library to communicate with a C&C server. It contacts the C&C at three-minute intervals, sending information about the victimized computer and its drives before receiving commands.
“However, of particular interest are the backdoor’s watchdogs used to monitor newly connected and disconnected drives, and a session watchdog monitoring the number of active sessions, like logged-on users. These components can trigger a connection to the C&C server outside the regular, preconfigured three-minute interval,” explains Jurčacko.