ESET researchers discover a new Lazarus backdoor deployed against a freight logistics firm in South Africa
ESET researchers have discovered a previously undocumented Lazarus backdoor used to attack a freight logistics company in South Africa, which they have dubbed Vyveva. The backdoor consists of multiple components and communicates with its C&C server via the Tor network. So far, we were able to find its installer, loader and main payload – a backdoor with a TorSocket DLL. The previously unknown attack was discovered in June 2020.
Although Vyveva has been used since at least December 2018, its initial compromise vector is still unknown. Our telemetry data suggests targeted deployment as we found only two victim machines, both of which are servers owned by a freight logistics company located in South Africa. The backdoor features capabilities for file exfiltration, timestomping, gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators. This indicates that the intent of the operation is most likely espionage.
This blogpost provides the first public, technical analysis of Vyveva’s components.
Attribution to Lazarus
Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET products as the NukeSped malware family. However, the similarities do not end there: the use of fake TLS in network communication, command line execution chains, and the way of using encryption and Tor services all point towards Lazarus; hence we can attribute Vyveva to this APT group with high confidence.
An example of the numerous code similarities can be seen in Figure 1 – resolving uniquely named Tor library exports.
92F5469DBEFDCEE1343934BE149AFC1241CC8497 msobjs.drx Vyveva backdoor
BF98EA1326E5F8C351E68C79B5D1E016 ..
Support the originator by clicking the read the rest link below.
 afreight of the dark? Watch out for Vyveva, new Lazarus backdoor){kind=link}