North Korean Lazarus Group Hackers Targeting South African Freight and Logistics Service Providers

ESET researchers discovered a new hacking campaign conducted by the North Korean-backed Lazarus Group targeted a South African freight logistics company using a backdoor called Vyveva.

Vyveva was first discovered in June last year and has several components and it communicates with the command and control server using the Tor network.

ESET malware analyst Filip Jurčacko explained that Vyveva is similar to older Lazarus samples that they have categorized as the NukeSped malware family.

“However, the similarities do not end there: the use of fake TLS in network communication, command-line execution chains, and the way of using encryption and Tor services all point towards Lazarus; hence we can attribute Vyveva to this APT group with high confidence,” said Jurčacko

The Vyveva backdoor was first discovered in two devices belonging to a freight logistics firm based in South Africa in 2020 but ESET believed it has been in use since 2018.

Vyveva has an installer, a loader, and backdoor components which have various stages during an attack.

Vyveva can also execute 23 commands issued by the Lazarus Group through C&C servers, including copy creation/write/access time metadata from a “donor” file to a destination file, exfiltrate directories recursively, and gain information on host computers, such as username, computer name, IP, code page, OS version, OS architecture, tick count, time zone, and current directory.

Last February, the US Department of Justice (DoJ) indicted two alleged North Korean hackers who were suspected members of Lazarus.

© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.