Lazarus attacks freight company in South Africa

Lazarus attacks freight company in South Africa

ESET researchers have discovered a previously undocumented backdoor used to attack a freight logistics company in South Africa, which they have dubbed Vyveva. Researchers have attributed the malware to the infamous Lazarus group due to shared similarities with the group’s previous operations and samples. The backdoor includes several cyber espionage capabilities, such as file exfiltration and gathering information about the targeted computer and its drives.

According to the ESET investigation, Vyveva has been in use since December 2018.

“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology. However, the similarities do not end there: the use of a fake TLS protocol in network communication, command line execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence,” said Filip Jurčacko, Researcher, ESET.

Vyveva uses the Tor library to communicate with a C and C (C&C) server. It contacts the C&C at three-minute intervals, sending information about the victimised computer and its drives before receiving commands.

“However, of particular interest are the backdoor’s watchdogs used to monitor newly connected and disconnected drives, and a session watchdog monitoring the number of active sessions, like logged-on users. These components can trigger a connection to the C&C server outside the regular, preconfigured three-minute interval,” explained Jurčacko.

Click below to share this article

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive