Vyveva: Lazarus hacking group’s latest weapon strikes South African freight

The backdoor is being used to spy on the activities of freight companies.

Researchers have discovered a new backdoor employed by the Lazarus hacking group in targeted attacks against the freight industry. 

On Thursday, ESET said the new backdoor malware, dubbed Vyveva, was traced in an attack against a South African freight and logistics firm. 

While the initial attack vector for deploying the malware is not yet known, examining machines infected with the malware revealed strong links to the Lazarus group. 

Lazarus is an advanced persistent threat (APT) group of North Korean origin. The state-sponsored cyberattackers are prolific and are deemed responsible for the global WannaCry ransomware outbreak; $80 million Bangladeshi bank heist; attacks against South Korean supply chains, cryptocurrency theft, the 2014 Sony hack, and various other assaults against US organizations. 

Vyveva is one of the latest weapons discovered in the Lazarus arsenal. The backdoor was first spotted in June 2020 but could have been in use since at least 2018.

The backdoor is able to exfiltrate files, gather data from an infected machine and its drives, remotely connect to a command-and-control (C2) server and run arbitrary code. In addition, the backdoor uses fake TLS connections for network communication, a component for connecting to its C2 via the Tor network, and command-line execution chains employed by the APT in past campaigns. 

There are coding similarities to the older Lazarus malware family Manuscrypt/NukeSped. 

Vyveva also includes a "timestomping" option which allows timestamp creation/write/access times to be copied from a 'donor' file, alongside an interesting feature for file copying: the ability to filter out particular extensions and focus only on specific types of content, such as Microsoft Office files, for exfiltration. 

The backdoor contacts its C2 every three minutes through watchdog modules, sending a stream of data to its operators including when drives are connected or disconnected, as well as the number of active sessions and logged-in users -- activities likely linked to cyberespionage. 

"These components can [also] trigger a connection to the C2 server outside the regular, preconfigured three-minute interval, and on new drive and session events," ESET notes. 

The researchers added that the backdoor's codebase allows them to attribute Vyveva to Lazarus with "high confidence." 

In February, the US Department of Justice (DoJ) indicted two alleged North Korean hackers and expanded charges against another for being part of Lazarus. 

Assistant Attorney General John Demers has described the APT as a "criminal syndicate with a flag."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0