The North Korean-backed Lazarus hacking group used new malware with backdoor capabilities dubbed Vyveva n targeted attacks against a South African freight logistics company.
Vyveva was first used in a June 2020 attack as ESET researchers discovered, but further evidence shows Lazarus has been deploying it in previous attacks going back to at least December 2018.
While ESET only found two machines infected with this malware, both of them belonging to the same South African freight company, the backdoor was likely used in other targeted espionage campaigns since it was first deployed in the wild.
“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology,” security researcher Filip Jurčacko said in a report published today.
“However, the similarities do not end there: the use of a fake TLS protocol in network communication, command-line execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence.”
Backdoor made in North Korea
The malware comes with an extensive set of cyber-espionage capabilities allowing Lazarus operators to harvest and exfiltrate files from infected systems to servers under their control using the Tor anonymous network as a secure communication channel.
Lazarus can also use Vyveva to deliver and execute arbitrary malicious code on any compromised system on the victims’ network.
Among its other “features,” the backdoor has support for timestomping commands, which allows its operators to manipulate any file’s date using metadata from other files on the system or by setting a random date between 2000 and 2004 to hide new or modified files.
While the backdoor will connect to its command-and-control (C2) server once every three minutes, it also uses watchdogs designed to keep track of newly connected drives or the active user sessions to trigger new C2 connections on new session or drive events.
“Vyveva constitutes yet another addition to Lazarus’s extensive malware arsenal,” Jurčacko added. “Attacking a company in South Africa also illustrates the broad geographical targeting of this APT group.”
Recent Lazarus activity
The Lazarus Group, a military hacking group backed by the Democratic People’s Republic of Korea, is also tracked as HIDDEN COBRA by the United States Intelligence Community.
They are known for targeting high-profile orgs such as Sony Films as part of Operation Blockbuster in 2014, multiple banks worldwide, and coordinating the 2017 global WannaCry ransomware campaign.
In January, Lazarus targeted security researchers in social engineering attacks using elaborate fake “security researcher” social media personas, with a similar campaign being detected and blocked by Google in March while in its early stages.
The same month, it was discovered that they targeted the defense industry with a previously undocumented backdoor dubbed ThreatNeedle in an espionage campaign active since early 2020.
Indicators of compromise, including Vyveva sample hashes used during attacks targeting the South African freight company, are available at the end of ESET’s report.