The Lazarus hacking group employed a new backdoor in targeted attacks against a South African freight and logistics firm.
The new backdoor malware, dubbed Vyveva was discovered by researchers at ESET. Even though the initial attack vector for deploying the malware is not known, on examining the infected machines it is found to have strong links to the Lazarus group.
Lazarus is a state sponsored advanced persistent threat (APT) group of North Korean origin. They are responsible for the global WannaCry ransomware outbreak; $80 million Bangladeshi bank heist; attacks against South Korean supply chains, cryptocurrency theft, the 2014 Sony hack, and various other cyberattacks against US organizations.
Vyveva is one of the latest weapons discovered in the Lazarus arsenal. The backdoor was first spotted in June 2020 but could have been in use since at least 2018.
The backdoor could exfiltrate files, gather data from an infected machine and its drives, remotely connect to a command-and-control (C2) server and run arbitrary code. In addition, the backdoor uses fake TLS connections for network communication, a component for connecting to its C2 via the Tor network, and command-line execution chains employed by the APT in past campaigns.
Vyveva also includes a “timestomping” option which allows timestamp creation/write/access times to be copied from a ‘donor’ file, alongside an interesting feature for file copying: the ability to filter out particular extensions and focus only on specific types of content for exfiltration.
The backdoor contacts its C2 every three minutes through watchdog modules, sending a stream of data to its operators including when drives are connected or disconnected, as well as the number of active sessions and logged-in users — activities linked to cyberespionage.
These components can trigger a connection to the C2 server outside the regular, preconfigured three-minute interval, and on new drive and session events.
The backdoor’s codebase allows the researchers to attribute Vyveva to Lazarus.