ESET researchers discover a new Lazarus backdoor deployed against a freight logistics firm in South Africa
ESET researchers have discovered a previously undocumented Lazarus backdoor, which they have dubbed Vyveva, being used to attack a freight logistics company in South Africa. The backdoor consists of multiple components and communicates with its C&C server via the Tor network. So far, we have been able to find its installer, loader and main payload – a backdoor with a TorSocket DLL. The previously unknown attack was discovered in June 2020.
Although Vyveva has been used since at least December 2018, its initial compromise vector is still unknown. Our telemetry data suggests targeted deployment as we found only two victim machines, both of which are servers owned by a freight logistics company located in South Africa. The backdoor features capabilities for file exfiltration, timestomping, gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators. This indicates that the intent of the operation is most likely espionage.
This blogpost provides the first public, technical analysis of Vyveva’s components.
Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET products as the NukeSped malware family. However, the similarities do not end there: the use of fake TLS in network communication, command line execution chains, and the way of using encryption and Tor services all point towards Lazarus; hence we can attribute Vyveva to this APT group with high confidence.
An example of the numerous code similarities can be seen in Figure 1 – resolving uniquely named Tor library exports.
Figure 1. Hex-Rays decompilation showing similarity between Vyveva (left) and NukeSped sample (right)
Up until now, we have managed to find three of the multiple components comprising Vyveva – its installer, loader and backdoor. The installer is the earliest chronological stage found and since it expects other components to be already present on the machine, it suggests the existence of an earlier, unknown stage – a dropper. The loader serves to decrypt the backdoor using a simple XOR decryption algorithm.
Figure 2 provides a closer look at the functionality of the installer, the backdoor, and the Tor library.
Figure 2. Overview of Vyveva components
The main purposes of the installer are twofold: it creates a service that ensures persistence of the backdoor loader, and it stores the embedded, default backdoor configuration in the registry.
To create a legitimate-looking service, its attributes, such as service name and display name, are formed using a combination of words from the attributes of existing services, which are randomly selected. It is also possible to specify these attributes to the installer via command line parameters -‍dll, -svc, -disp, -desc, and -group. We observed the following in the wild, with these parameters:
<SYSDIR>powerctl.exe -svc powerctl -dll powerctl.dll
As for the latter task, the installer first sets the configuration infection ID, which uniquely identifies each victim, to a randomly generated value, and then stores it in the registry, as shown in Figure 3.
[HKLMSOFTWAREMicrosoftDirectX]
    UsageMask = <CONFIG_DATA>
Figure 3. Configuration registry value
One of the entries in the configuration is a list of encrypted C&C servers: for example, the installer sample we analyzed is configured with the following C&Cs:
The backdoor, Vyveva’s main component, connects to C&C servers and executes commands issued by the threat actors. It features 23 commands, some of which are asynchronous and executed in their own threads. Most of them are ordinary commands for file and process operations or information gathering, but there is also a less common command for file timestomping. It can copy creation/write/access time metadata from a “donor” file to a destination file or use a random date in the years 2000—2004.
Other noteworthy commands are Vyveva’s file upload command, and command 0x26. The file upload command is capable of exfiltrating directories recursively and supports file extension filtering – for example, Office documents only. As for command 0x26, it indicates the existence of another, unknown component that we have not yet observed at the time of writing.
The full list of commands is shown in Table 1.
Table 1. Vyveva backdoor commands

ID Description
0x03 Reply to “ping” from server
0x10 Get information about computer – username, computer name, IP, code page, OS version, OS architecture, tick count, time zone, current directory
0x11 Get information about drives – type, size, name, serial number, filesystem type
0x12 Write data to specified file, optionally timestomp.
0x13 Upload specified file or directory
 • File – size, last write time, content
 • Directory stats – total files size, file count, directory count
  - For each entry – name, attributes
  - Directories – recurse into directories
  - Files – size, last write time, content

Options
 • Use compression for file content (zlib 1.2.5)
 • File extension filter (whitelist/blacklist)
 • Recursion flag

0x14 Get listing of specified directory
 • name, attributes, write time
 • Directories – is nonempty
 • Files – size
0x15 Set current directory to specified directory
0x16 Create specified process
0x17 Get information about running processes – PID, PPID, executable file path
0x18 Terminate process(es) by PID or executable file path
0x19 Create process with redirected output and upload the output
The command uses a format string which hints at execution through cmd.exe
 • “%param0% /c “%param1% > %tmp_fpath%” 2>&1″
If the output is empty, unique string “<NO RESULT!>rn” is uploaded instead
0x1A Delete specified path. File deletion methods:
 • delete only
 • overwrite & move & delete
0x1B Copy creation/write/access time metadata from source file or directory to destination file or directory.
If the source doesn’t exist, random time in year 2000-2004 is used for creation & last write time, access time is unchanged.
0x1C Get info about specified path:
 • File – attributes, creation/write/access time, type, size
 • Directory / Drive – total files size, file count, directory count (with optional extension filtering and recursion)
0x1D Set current configuration blob, save to registry
0x1E Get current configuration blob
0x1F Enable/disable drive watchdog (configuration field enable_drive_watchdog)
0x20 Enable/disable session watchdog (configuration field enable_session_watchdog)
0x21 Set configuration value related to delay of backdoor execution (configuration field delay_until_time)
0x23 Store data used by asynchronous command (related to commands 0x12, 0x13)
0x24 Stop executing asynchronous command (related to commands 0x12, 0x13)
0x25 Set configuration value related to delay between failed C&C connection attempts (configuration field wait_minutes)
0x26 If <SYSDIR>wsdchngr.drx exists
 • Delete configuration registry value
 • Delete backdoor file (self delete)
 • Delete loader file
 • Read, decrypt, PE-load wsdchngr.drx and call SamIPromote export in a new thread
 • Exit current thread

Of particular interest are the backdoor’s watchdogs, which can be optionally enabled or disabled. There is a drive watchdog used to monitor newly connected and disconnected drives, and a session watchdog monitoring the number of active sessions (i.e. logged-on users). These components can trigger a connection to the C&C server outside the regular, preconfigured three-minute interval, and on new drive and session events.
The configuration of the backdoor, which is initially set by the installer, is read from the registry value (shown in Figure 3). When the configuration is modified by a C&C command, the value stored in the registry is updated. An example configuration and its structure are shown in Figure 4.
Figure 4. Configuration structure and annotated example
The wait_minutes field specifies the time to wait before next connection to the C&C after a failed connection attempt. If the execution of the backdoor needs to be delayed until a particular time and date, it can be specified in the delay_until_time field. The encrypted_cncs field is an encrypted string, which contains semicolon-separated C&Cs.
Vyveva uses the Tor library, which is based on the official Tor source code, to communicate with a C&C server selected at random from the configuration.  It contacts the C&C at three-minute intervals, sending information about the victim computer and its drives before receiving commands. The backdoor’s export directory contains the TorSocket.dll with self-explanatory exports close_ch, connect_ch, open_ch, read_ch, write_ch.
Vyveva constitutes yet another addition to Lazarus’s extensive malware arsenal. Attacking a company in South Africa also illustrates the broad geographical targeting of this APT group.
For any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.
%WINDIR%System32powerctl.exe
%WINDIR%SysWOW64powerctl.exe
%WINDIR%System32power.dat
%WINDIR%SysWOW64power.dat
%WINDIR%System32wwanauth.dll
%WINDIR%SysWOW64wwanauth.dll
%WINDIR%System32wwansec.dll
%WINDIR%SysWOW64wwansec.dll
%WINDIR%System32powerctl.dll
%WINDIR%SysWOW64powerctl.dll
%WINDIR%System32JET76C5.tmp
%WINDIR%SysWOW64JET76C5.tmp
%WINDIR%System32msobjs.drx
%WINDIR%SysWOW64msobjs.drx
This table was built using version 8 of the MITRE ATT&CK framework.

source

Leave a Reply