Researchers at ESET have discovered a new hacking campaign conducted by the North Korean-backed Lazarus Group targeting a South African freight logistics company. The hackers are using a backdoor, dubbed Vyveva, that was first used in June last year and communicates with its C&C server via the Tor network.
According to ESET, while the backdoor malware was last used in June last year, it has been used by Lazarus Group on several occasions since December 2018. Recently, the firm found that two machines owned by the South African freight logistics company were infected using the backdoor and that the attack trajectory is quite similar to other campaigns conducted by the Lazarus Group.
"Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET technology. However, the similarities do not end there: the use of a fake TLS protocol in network communication, command-line execution chains, and the methods of using encryption and Tor services all point toward Lazarus. Hence, we can attribute Vyveva to this APT group with high confidence," said Filip Jurčacko, a security researcher at ESET.
The firm found that Vyveva has the capability to execute as many as 23 commands issued by the Lazarus Group through C&C servers, including the capability to copy creation/write/access time metadata from a “donor” file to a destination file, exfiltrate directories recursively, and gain information on host computers, such as username, computer name, IP, code page, OS version, OS architecture, tick count, time zone, and current directory.
The backdoor malware uses the Tor library to communicate with a C&C server, contacts the C&C at three-minute intervals, and sends information about the victim computer and its drives before receiving commands. While these capabilities make it a potent threat for organisations, it is not known why Lazarus Group chose to deploy the backdoor against a freight logistics company, that too in South Africa which does not feature in the list of countries primarily targeted by the North Korean spate-sponsored hacker group.
Founded in 2009, Lazarus Group have been one of the most notorious hacker group and has been behind a large number of cyber-attacks on media, finance and aerospace companies as well as on governments across the world. It is best known for conducting the global WannaCry attack which spread malicious ransomware to hundreds of thousands of computers around the world.
In August last year, the FBI and the CISA warned that the hacker group was using a Remote Access Trojan (RAT) named BLINDINGCAN to target devices and networks owned by defence contractors and steal information stored in their servers. The RAT was injected into targeted networks via a phishing campaign that involved the use of job postings from leading defense contractors to lure targeted victims into downloading malicious documents on their devices.
The BLINDINGCAN RAT featured various capabilities, such as collecting detailed information about all disks in a system, obtaining local IP address and processor details, initiating or terminating a new process, read, write, execute and move files, modify file or directory timestamps, and deleting itself from infected systems and cleaning its traces.
In February, three North Korean hackers associated with the Lazarus Group were indicted in the U.S. for carrying out a wide range of cyber crimes and stealing more than $1.3 billion in real money and cryptocurrency from financial institutions and other organizations.
Aside from stealing money from various banks, the hackers also developed several malicious cryptocurrency applications which provided them a backdoor into victims’ computers. Hundreds of cryptocurrency companies were targeted by these criminals to steal millions of dollars, including $75 million from a Slovenian cryptocurrency company, $24.9 million from an Indonesian cryptocurrency company, and $11.8 million from a financial services company in New York using the malicious CryptoNeuro Trader application as a backdoor.