New Vyveva Malware Used by Lazarus Hacking Group to Attack South African Freight
Researchers Found Two Devices Infected with Cyveva Malware, Both Belonging to the Same South African Freight Company.
Cybersecurity specialists have detected a new backdoor malware used by the North Korean-backed Lazarus hacking group in targeted attacks against the freight industry.
On Thursday, ESET (Essential Security against Evolving Threats) declared the new backdoor malware, named Vyveva, was detected in an assault against a South African freight and logistics company.
According to researchers, the previously unknown attack was discovered in June 2020.
While the first attack vector for deploying the malware is unknown, specialists say Vyveva malware has been used since December 2018. They found only two infected machines, both of which area servers owned by a freight logistics firm situated in South Africa.
The examination of the affected machines with the new malware divulged a strong connection to the North Korean-backed Lazarus hacking group.
Lazarus Group (also known as HIDDEN COBRA or Zinc) is a cybercrime group designated as an advanced persistent threat(APT) due to the intended nature, threat, and wide array of methods used when conducting an operation. Vyveva is one of the latest weapons discovered in the Lazarus collection.
In a report issued today, security researcher Filip Jurčacko stated that Vyveva malware has coding similitudes to older Lazarus samples detected by ESET technology as the NukeSped malware family.
However, the similarities do not end there: the use of a fake TLS protocol in network communication, command-line execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence.
A Short Analysis of the New Vyveva Malware
Due to its set of cyber-espionage capabilities, the backdoor malware can exfiltrate files, collect data from a compromised machine and its drives, remotely connect to a command-and-control (C2) server and run random code.
Furthermore, the backdoor utilizes fake TLS connections for network communication, a component for connecting to its C2 via the Tor network, and command-line execution chains used by the APT in previous operations.
The backdoor reaches its C2 every three minutes via watchdog modules, dispatching a stream of data to its operators including when drives are connected or disconnected, along with the logged-in users and the number of active sessions – activities believed to be connected to cyberespionage.
More About Lazarus Group
Notorious companies such as Sony Films and several banks all over the world have been targeted by The Lazarus Group over the years. The group is also known for the 2017 global WannaCry ransomware operation.
At the beginning of the year, the North Korean hackers targeted security researchers in social engineering. The threat actors created fake Twitter accounts and blogs to build a fake persona as a security researcher. The accounts were then used to contact targeted security researchers via social media, including Twitter, Linked In, Telegram, Discord, Keybase, and email.
They have been eventually discovered and blocked by Google in March while in its early stages.
The same month, it was disclosed that they targeted the defense industry with malware named ThreatNeedle since early 2020 with the intention to steal private information.
Vyveva constitutes yet another addition to Lazarus’s extensive malware arsenal. Attacking a company in South Africa also illustrates the broad geographical targeting of this APT group.
Indicators of compromise (IoCs) can be found at the end of the ESET’s report, including Vyveva malware sample hashes employed in the course of the attacks targeting the South African freight organization.