Cybersecurity agency ESET discovered a previously undocumented backdoor used to attack a logistics company in South Africa. This malware is thought to be related to the Lazarus group, as it shows similarities with the previous operations and examples of the Lazarus group. This new backdoor, discovered by ESET researchers, was named Vyveva.
Backdoor includes various cyber-espionage features such as file theft, obtaining information from the targeted computer and its drivers. It communicates with the Command and Control (C&C) server via the Tor network.
ESET researchers found that this malware only targets two machines. These two machines were found to be servers belonging to the logistics company located in South Africa. According to ESET's research, Vyveva has been in use since December 2018.
ESET researcher Filip Jurčacko, who analyzed the Lazarus weapon, said: “Vyveva has many codes similar to the older Lazarus samples detected by ESET technology. But the similarity does not stop there: It has many other similarities, such as the use of a fake TLS protocol in network communication, the command line execution chain, encryption, and methods of using Tor services. All these similarities point to the Lazarus group. Therefore, we are sure that Vyveva belongs to this APT group. "
Discovered by ESET researchers, Vyveva executes commands used by threat organizers such as file and process operations, information gathering. There is also a less common command for file timestamp; This command allows to copy timestamps from a "donor" file to a target file or to use a random date.