(Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor
Contents
ESET researchers have discovered a previously undocumented Lazarus backdoor, which they have dubbed Vyveva, being used to attack a freight logistics company in South Africa. The backdoor consists of multiple components and communicates with its C&C server via the Tor network. So far, we have been able to find its installer, loader and main payload – a backdoor with a TorSocket DLL. The previously unknown attack was discovered in June 2020.
Although Vyveva has been used since at least December 2018, its initial compromise vector is still unknown. Our telemetry data suggests targeted deployment as we found only two victim machines, both of which are servers owned by a freight logistics company located in South Africa. The backdoor features capabilities for file exfiltration, timestomping, gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators. This indicates that …
Although Vyveva has been used since at least December 2018, its initial compromise vector is still unknown. Our telemetry data suggests targeted deployment as we found only two victim machines, both of which are servers owned by a freight logistics company located in South Africa. The backdoor features capabilities for file exfiltration, timestomping, gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators. This indicates that …
IoC
043ADDFB93A10D187DDE4999D78096077F26E9FD
1E3785FC4FE5AB8DAB31DDDD68257F9A7FC5BF59
4D7ADD8145CB096359EBC3E4D44E19C2735E0377
66D17344A7CE55D05A324E1C6BE2ECD817E72680
69529EED679B0C7F1ACC1FD782A4B443CEC0CF83
92F5469DBEFDCEE1343934BE149AFC1241CC8497
A5CE1DF767C89BF29D40DC4FA6EAECC9C8979552
BF98EA1326E5F8C351E68C79B5D1E0164C7BE728
DAD50AD3682A3F20B2F35BE2A94B89E2B1A73067
http://4bjt2rceijktwedi.onion:80
http://cwwpxpxuswo7b6tr.onion:80
1E3785FC4FE5AB8DAB31DDDD68257F9A7FC5BF59
4D7ADD8145CB096359EBC3E4D44E19C2735E0377
66D17344A7CE55D05A324E1C6BE2ECD817E72680
69529EED679B0C7F1ACC1FD782A4B443CEC0CF83
92F5469DBEFDCEE1343934BE149AFC1241CC8497
A5CE1DF767C89BF29D40DC4FA6EAECC9C8979552
BF98EA1326E5F8C351E68C79B5D1E0164C7BE728
DAD50AD3682A3F20B2F35BE2A94B89E2B1A73067
http://4bjt2rceijktwedi.onion:80
http://cwwpxpxuswo7b6tr.onion:80