Lazarus Group attacks logistics company: Failures in global freight logistics can have serious consequences. Whether digital or analog: failures are particularly sensitive for global freight logistics. This was shown recently by the blockade of the Suez Canal by the container ship “Ever Given”.
ESET researchers have now discovered a previously unknown backdoor that was used in an attack on a freight logistics company in South Africa. Behind the malware is the infamous Lazarus group. For this purpose, the security experts of the European IT security manufacturer discovered similarities with previous operations and procedures of the hacking group.
Backdoor Vyveva has espionage functions
The backdoor called Vyveva has several espionage functions, such as collecting information on the target computer and forwarding it to Lazarus computers. An interruption of the IT systems would also have been possible. The spy program communicates with its Command & Control (C&C) server via the Tor network. The ESET researchers have now published their results on WeliveSecurity.
“Vyveva has many similarities in code with older Lazarus samples. In addition, the use of a fake TLS protocol in network communication, the chaining of command lines and the way in which the encryption and Tor services are used all point to the APT group. We can therefore attribute the backdoor to the Lazarus group with a high degree of probability, ”says Filip Jurčacko, the ESET researcher who analyzed Vyveva.
ESET researchers suspect targeted attack
Investigations by the European IT security manufacturer indicate that Vyveva was used in a targeted manner. The ESET researchers were only able to find two victim computers, which are servers of a South African logistics company. The analysis by ESET researchers found that Vyveva has been in use since at least December 2018.
Communication over the Tor network
The backdoor executes commands issued by the group of hackers, such as collecting sensitive data. There is also a command to change time stamps on files. Vyveva maintains communication with the C&C server via the Tor network and contacts it at three-minute intervals. The spy program sends information about the affected computer and its drives. So-called watchdogs are used here, which send a message to the C&C server in the event of certain changes to the infected system.
“Particularly interesting are special backdoor watchdogs that monitor newly connected and disconnected drives. There is also a watchdog that monitors the number of active sessions. This can be, for example, the number of registered users. These components can trigger a connection to the C&C server outside of the regular, pre-configured three-minute interval,” explains Jurčacko.
More at WeLiveSecurity on ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.