The Lazarus hacking group uses a new backdoor in targeted attacks against the freight industry, according to researchers.
The new backdoor malware, dubbed Vyveva, was discovered in an attack against a South African freight and logistics firm on Thursday, according to ESET.
While the initial attack vector for distributing the malware is unknown, examining infected machines revealed strong ties to the Lazarus group.
Lazarus is a North Korean-based advanced persistent threat (APT) group. The global WannaCry ransomware outbreak, a $80 million Bangladeshi bank heist, attacks against South Korean supply chains, cryptocurrency theft, the 2014 Sony hack, and other attacks against US organizations have all been blamed on state-sponsored cyberattackers.
Vyveva is one of the most recent Lazarus weapons to be discovered. The backdoor was discovered in June 2020, but it is possible that it has been in use since at least 2018.
The backdoor can exfiltrate files, collect data from infected machines and drives, connect to a command-and-control (C2) server remotely, and execute arbitrary code. In addition, the backdoor employs phony TLS connections for network communication, a component for connecting to its C2 via the Tor network, and command-line execution chains previously employed by the APT.
Manuscrypt/NukeSped, an older Lazarus malware family, has coding similarities.
Vyveva also includes a “timestomping” option, which allows timestamp creation/write/access times to be copied from a “donor” file, as well as an intriguing file copying feature: the ability to filter out specific extensions and focus only on specific types of content, such as Microsoft Office files, for exfiltration.
“These components can [also] trigger a connection to the C2 server outside the regular, preconfigured three-minute interval, and on new drive and session events,” ESET notes.
Through watchdog modules, the backdoor communicates with its C2 every three minutes, sending a stream of data to its operators that includes when drives are connected or disconnected, the number of active sessions, and logged-in users — all of which are likely related to cyberespionage.
The codebase of the backdoor allows the researchers to attribute Vyveva to Lazarus with “high confidence,” according to the researchers.
The US Department of Justice (DoJ) indicted two alleged North Korean hackers in February and increased the charges against another for his involvement in Lazarus.