ESET researchers warn about a new backdoor deployed most likely by the Lazarus hacking group. Attackers have used it in attacks against a freight and logistics firm.
On Thursday, ESET reported they spotted the new Vyveva backdoor in attacks against a freight company in South Africa.
ESET couldn’t yet identify the initial attack vector for deploying the malware, but having examined machines infected with the malware they saw strong links to the Lazarus group.
The North Korean advanced persistent threat (APT) group are largely thought responsible for the global WannaCry ransomware outbreak in 2017. Other campaigns attributed to this APT are a Bangladeshi bank heist, cryptocurrency theft, attacks against South Korean supply chains, the 2014 Sony hack, and other attacks on various US organizations.
First spotted in June 2020, the Vyveva backdoor is one of the latest additions in Lazarus’ arsenal.
Among the capabilities of the backdoor reported in past campaigns are data theft from a compromised machine and its drives, exfiltration of files, remote connection to a command-and-control (C2) server to run arbitrary code, and others. The backdoor can establish fake TLS connections for network communication, connect to the attackers’ C2 via the Tor network, and execute command-line commands from the APT.
Having analyzed the backdoor’s codebase, the researchers can attribute Vyveva to Lazarus with “high confidence.” In particular, they noted coding similarities it shares with the older Lazarus malware Manuscrypt/NukeSped.
Vyveva Also has “timestomping” capabilities meaning it can “it can copy creation/write/access time metadata from a “donor” file to a destination file or use a random date in the years 2000—2004,” researchers write.
This allows it to filter out particular extensions and focus only on specific types of content, for example, Microsoft Office files.
Mostly Vyveva contacts its C2 every three minutes via watchdog modules exfiltrating a trove of data to its operators for later use in activities likely related to cyberespionage. But researchers say its ” components can [also] trigger a connection to the C2 server outside the regular, preconfigured three-minute interval, and on new drive and session events.”