Skip to content

Lazarus attacks freight company in South Africa with a new backdoor, ESET Research discovers

BRATISLAVA – ESET researchers have discovered a previously undocumented backdoor used to attack a freight logistics company in South Africa, which they have dubbed Vyveva. They have attributed the malware to the infamous Lazarus group due to shared similarities with the group’s previous operations and samples. The backdoor includes several cyberespionage capabilities, such as file exfiltration and gathering information about the targeted computer and its drives. It communicates with its Command & Control (C&C) server via the Tor anonymity network.

ESET telemetry for Vyveva suggests targeted deployment as ESET researchers have found only two victim machines, both of which are servers owned by the aforementioned South African logistics company. According to the ESET investigation, Vyveva has been in use since at least December 2018.

“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology. However, the similarities do not end there: the use of a fake TLS protocol in network communication, command line execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence,” says ESET researcher Filip Jurčacko, who analyzed the discovered Lazarus arsenal.

The backdoor executes commands issued by the threat actors, like file and process operations and information gathering. There is also a less commonly seen command for file timestomping, which allows copying timestamps from a “donor” file to a destination file or use of a random date.

Vyveva uses the Tor library to communicate with a C&C server. It contacts the C&C at three-minute intervals, sending information about the victimized computer and its drives before receiving commands. “However, of particular interest are the backdoor’s watchdogs used to monitor newly connected and disconnected drives, and a session watchdog monitoring the number of active sessions, like logged-on users. These components can trigger a connection to the C&C server outside the regular, preconfigured three-minute interval,” explains Jurčacko.

For more technical details about Vyveva, read the blog post (Are you) afreight of the dark? Watch out for Vyveva, the latest addition to the Lazarus toolkit on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.


Overview of Vyveva components



About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.