Vyveva: New Custom Malware in Lazarus Toolkit

[post-views]
April 13, 2021 · 3 min read
Vyveva: New Custom Malware in Lazarus Toolkit

Experts from ESET have uncovered a new malicious sample leveraged by Lazarus APT to target an unnamed South African freight company. The malware, dubbed Vyveva, obtains impressive backdoor capabilities, which are used by the nation-backed actor for reconnaissance and cyber-espionage.

Vyveva Backdoor Overview

Vyveva is a custom threat applied by the North Korean state-sponsored group in highly targeted operations. To date, security experts have been able to detect only a couple of victimized instances, both related to the cyber-attack against the freight firm in summer 2020. However, the analysis shows that malware has been used in Lazarus campaigns since late 2018. Moreover, it shares many strains of code with the NukeSped family, another threat in the group’s arsenal, which allows experts to attribute Vyveva to North Korean adversaries.

ESET details that Vyveva backdoor consists of three main elements: installer, loader, and malicious payload. The initial intrusion method is currently unexplored, still, security practitioners suggest the existence of a secret malicious dropper. The installer is responsible for the persistence of the loader and puts the default payload into the registry. Further, the loader component decrypts the payload with an XOR decryption algorithm, so it is ready to perform the array of malicious functions.

According to the researchers, Vyveva is able to perform 23 commands, including file exfiltration, data dumping, arbitrary code execution, and timestomping. Although most of the functions are typical, some on the list are capable of resolving sophisticated tasks. For example, the timestomping option enables time metadata copying from a legitimate file. And file upload command is capable of exfiltrating directories and supporting file extension filtering. Notably, commands might be launched asynchronously and executed in separate threads.

Vyveva Backdoor Detection

To detect the malicious activity associated with the new Lazarus tool, you can download a community Sigma rule from our prolific Threat Bounty developer Kyaw Pyiyt Htet:

https://tdm.socprime.com/tdm/info/HKO3ESP3ZBoF

The rule has translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix, 

EDR: Sentinel One

MITRE ATT&CK: 

Tactics: Execution, Exfiltration, Defense Evasion

Techniques: Execution through API (T0871), Exfiltration Over Command and Control Channel (T1041), Masquerading (T1036)

Also, you can ensure your proactive defense against Lazarus intrusions by checking the full list of tailored detections available in Threat Detection Marketplace.

Get a free subscription to Threat Detection Marketplace, a world-leading Content-as-a-Service (CaaS) platform that helps SecOps teams advance their security analytics and withstand cyber attacks on the earliest stages of their lifecycle. Eager to monetize your threat hunting skills and contribute to the industry-first SOC content library? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts