banner

ESET researchers uncover a brand new Lazarus backdoor deployed in opposition to a freight logistics agency in South Africa

ESET researchers have found a beforehand undocumented Lazarus backdoor used to assault a freight logistics firm in South Africa, which they’ve dubbed Vyveva. The backdoor consists of a number of parts and communicates with its C&C server by way of the Tor community. To date, we had been capable of finding its installer, loader and most important payload – a backdoor with a TorSocket DLL. The beforehand unknown assault was found in June 2020.

Though Vyveva has been used since at the very least December 2018, its preliminary compromise vector continues to be unknown. Our telemetry information suggests focused deployment as we discovered solely two sufferer machines, each of that are servers owned by a freight logistics firm situated in South Africa. The backdoor options capabilities for file exfiltration, timestomping, gathering details about the sufferer pc and its drives, and different widespread backdoor performance akin to working arbitrary code specified by the malware’s operators. This means that the intent of the operation is almost definitely espionage.

This blogpost supplies the primary public, technical evaluation of Vyveva’s parts.

Attribution to Lazarus

Vyveva shares a number of code similarities with older Lazarus samples which might be detected by ESET merchandise because the NukeSped malware household. Nonetheless, the similarities don’t finish there: using pretend TLS in community communication, command line execution chains, and the way in which of utilizing encryption and Tor providers all level in the direction of Lazarus; therefore we are able to attribute Vyveva to this APT group with excessive confidence.

An instance of the quite a few code similarities could be seen in Determine 1 – resolving uniquely named Tor library exports.

  • 92F5469DBEFDCEE1343934BE149AFC1241CC8497 msobjs.drx Vyveva backdoor
  • BF98EA1326E5F8C351E68C79B5D1E0164C7BE728 taskhosts.exe Win32/NukeSped.HV trojan

Determine 1. Hex-Rays decompilation displaying similarity between Vyveva (left) and NukeSped pattern (proper)

Technical evaluation

Up till now, we have now managed to seek out three of the a number of parts comprising Vyveva – its installer, loader and backdoor. The installer is the earliest chronological stage discovered and because it expects different parts to be already current on the machine, it suggests the existence of an earlier, unknown stage – a dropper. The loader serves to decrypt the backdoor utilizing a easy XOR decryption algorithm.

Determine 2 supplies a more in-depth have a look at the performance of the installer, the backdoor, and the Tor library.

Determine 2. Overview of Vyveva parts

Installer

The primary functions of the installer are twofold: it creates a service that ensures persistence of the backdoor loader, and it shops the embedded, default backdoor configuration within the registry.

To create a legitimate-looking service, its attributes, akin to service title and show title, are fashioned utilizing a mix of phrases from the attributes of current providers, that are randomly chosen. Additionally it is doable to specify these attributes to the installer by way of command line parameters -‍dll, -svc, -disp, -desc, and -group. We noticed the next within the wild, with these parameters:

powerctl.exe -svc powerctl -dll powerctl.dll

As for the latter process, the installer first units the configuration an infection ID, which uniquely identifies every sufferer, to a randomly generated worth, after which shops it within the registry, as proven in Determine 3.

[HKLMSOFTWAREMicrosoftDirectX]
    UsageMask =

Determine 3. Configuration registry worth

One of many entries within the configuration is a listing of encrypted C&C servers: for instance, the installer pattern we analyzed is configured with the next C&Cs:

  • 4bjt2rceijktwedi[.]onion:80
  • cwwpxpxuswo7b6tr[.]onion:80

Backdoor performance

The backdoor, Vyveva’s most important part, connects to C&C servers and executes instructions issued by the risk actors. It options 23 instructions, a few of that are asynchronous and executed in their very own threads. Most of them are unusual instructions for file and course of operations or info gathering, however there’s additionally a much less widespread command for file timestomping. It might copy creation/write/entry time metadata from a “donor” file to a vacation spot file or use a random date within the years 2000—2004.

Different noteworthy instructions are Vyveva’s file add command, and command 0x26. The file add command is able to exfiltrating directories recursively and helps file extension filtering – for instance, Workplace paperwork solely. As for command 0x26, it signifies the existence of one other, unknown part that we have now not but noticed on the time of writing.

The complete record of instructions is proven in Desk 1.

Desk 1. Vyveva backdoor instructions

ID Description
0x03 Reply to “ping” from server
0x10 Get details about pc – username, pc title, IP, code web page, OS model, OS structure, tick rely, time zone, present listing
0x11 Get details about drives – kind, measurement, title, serial quantity, filesystem kind
0x12 Write information to specified file, optionally timestomp.
0x13 Add specified file or listing
 • File – measurement, final write time, content material
 • Listing stats – whole recordsdata measurement, file rely, listing rely
  - For every entry – title, attributes
  - Directories – recurse into directories
  - Information – measurement, final write time, content material

Choices
 • Use compression for file content material (zlib 1.2.5)
 • File extension filter (whitelist/blacklist)
 • Recursion flag

0x14 Get itemizing of specified listing
 • title, attributes, write time
 • Directories – is nonempty
 • Information – measurement
0x15 Set present listing to specified listing
0x16 Create specified course of
0x17 Get details about working processes – PID, PPID, executable file path
0x18 Terminate course of(es) by PID or executable file path
0x19 Create course of with redirected output and add the output
The command makes use of a format string which hints at execution via cmd.exe
 • “%param0% /c “%param1% > %tmp_fpath%” 2>&1″
If the output is empty, distinctive string “x0Dx0A” is uploaded as a substitute
0x1A Delete specified path. File deletion strategies:
 • delete solely
 • overwrite & transfer & delete
0x1B Copy creation/write/entry time metadata from supply file or listing to vacation spot file or listing.
If the supply doesn’t exist, random time in yr 2000-2004 is used for creation & final write time, entry time is unchanged.
0x1C Get information about specified path:
 • File – attributes, creation/write/entry time, kind, measurement
 • Listing / Drive – whole recordsdata measurement, file rely, listing rely (with elective extension filtering and recursion)
0x1D Set present configuration blob, save to registry
0x1E Get present configuration blob
0x1F Allow/disable drive watchdog (configuration area enable_drive_watchdog)
0x20 Allow/disable session watchdog (configuration area enable_session_watchdog)
0x21 Set configuration worth associated to delay of backdoor execution (configuration area delay_until_time)
0x23 Retailer information utilized by asynchronous command (associated to instructions 0x12, 0x13)
0x24 Cease executing asynchronous command (associated to instructions 0x12, 0x13)
0x25 Set configuration worth associated to delay between failed C&C connection makes an attempt (configuration area wait_minutes)
0x26 If wsdchngr.drx exists
 • Delete configuration registry worth
 • Delete backdoor file (self delete)
 • Delete loader file
 • Learn, decrypt, PE-load wsdchngr.drx and name SamIPromote export in a brand new thread
 • Exit present thread

Of explicit curiosity are the backdoor’s watchdogs, which could be optionally enabled or disabled. There’s a drive watchdog used to observe newly linked and disconnected drives, and a session watchdog monitoring the variety of energetic classes (i.e. logged-on customers). These parts can set off a connection to the C&C server outdoors the common, preconfigured three-minute interval, and on new drive and session occasions.

Configuration

The configuration of the backdoor, which is initially set by the installer, is learn from the registry worth (proven in Determine 3). When the configuration is modified by a C&C command, the worth saved within the registry is up to date. An instance configuration and its construction are proven in Determine 4.

Determine 4. Configuration construction and annotated instance

The wait_minutes area specifies the time to attend earlier than subsequent connection to the C&C after a failed connection try. If the execution of the backdoor must be delayed till a specific time and date, it may be specified within the delay_until_time area. The encrypted_cncs area is an encrypted string, which accommodates semicolon-separated C&Cs.

Tor library

Vyveva makes use of the Tor library, which is predicated on the official Tor supply code, to speak with a C&C server chosen at random from the configuration.  It contacts the C&C at three-minute intervals, sending details about the sufferer pc and its drives earlier than receiving instructions. The backdoor’s export listing accommodates the TorSocket.dll with self-explanatory exports close_ch, connect_ch, open_ch, read_ch, write_ch.

Conclusion

Vyveva constitutes yet one more addition to Lazarus’s intensive malware arsenal. Attacking an organization in South Africa additionally illustrates the broad geographical concentrating on of this APT group.

For any inquiries, or to make pattern submissions associated to the topic, contact us at [email protected]

Indicators of Compromise (IoCs)

Samples

SHA-1 Filename ESET detection title Description
DAD50AD3682A3F20B2F35BE2A94B89E2B1A73067 powerctl.exe Win32/NukeSped.HX Installer
69529EED679B0C7F1ACC1FD782A4B443CEC0CF83 powerctl.dll Win32/NukeSped.HX Loader (x86)
043ADDFB93A10D187DDE4999D78096077F26E9FD wwanauth.dll Win64/NukeSped.EQ Loader (x64)
1E3785FC4FE5AB8DAB31DDDD68257F9A7FC5BF59 wwansec.dll Win32/NukeSped.HX Loader (x86)
4D7ADD8145CB096359EBC3E4D44E19C2735E0377 msobjs.drx Backdoor (encrypted)
92F5469DBEFDCEE1343934BE149AFC1241CC8497 msobjs.drx Win32/NukeSped.HX Backdoor (decrypted with fastened MZ header)
A5CE1DF767C89BF29D40DC4FA6EAECC9C8979552 JET76C5.tmp Backdoor Tor library (encrypted)
66D17344A7CE55D05A324E1C6BE2ECD817E72680 JET76C5.tmp Win32/NukeSped.HY Backdoor Tor library (decrypted with fastened MZ header) 

Filenames

%WINDIRpercentSystem32powerctl.exe
%WINDIRpercentSysWOW64powerctl.exe
%WINDIRpercentSystem32power.dat
%WINDIRpercentSysWOW64power.dat

%WINDIRpercentSystem32wwanauth.dll
%WINDIRpercentSysWOW64wwanauth.dll
%WINDIRpercentSystem32wwansec.dll
%WINDIRpercentSysWOW64wwansec.dll
%WINDIRpercentSystem32powerctl.dll
%WINDIRpercentSysWOW64powerctl.dll

%WINDIRpercentSystem32JET76C5.tmp
%WINDIRpercentSysWOW64JET76C5.tmp
%WINDIRpercentSystem32msobjs.drx
%WINDIRpercentSysWOW64msobjs.drx

MITRE ATT&CK strategies

This desk was constructed utilizing version 8 of the MITRE ATT&CK framework.

Tactic   ID   Title   Description  
Execution  T1569.002 System Companies: Service Execution  Vyveva loader executes by way of a service.
T1106 Native API  Vyveva backdoor makes use of the CreateProcessA API to execute recordsdata.
Persistence  T1543.003 Create or Modify System Course of: Home windows Service  Vyveva installer creates a brand new service to determine persistence for its loader.
Protection Evasion  T1140 Deobfuscate/Decode Information or Data  Vyveva decrypts strings and parts (backdoor, Tor library).
T1070.006 Indicator Removing on Host: Timestomp  Vyveva backdoor can timestomp recordsdata.
T1036.004 Masquerading: Masquerade Process or Service  Vyveva installer can create a service with attributes mimicking current providers.
T1112 Modify Registry  Vyveva shops its configuration within the registry. 
T1027 Obfuscated Information or Data  Vyveva has encrypted strings and parts.
Discovery  T1083 File and Listing Discovery  Vyveva backdoor can receive file and listing listings.
T1057 Course of Discovery  Vyveva backdoor can record working processes.
T1082 System Data Discovery  Vyveva backdoor can receive system info, together with pc title, ANSI code web page, OS model and structure.
T1016 System Community Configuration Discovery  Vyveva backdoor can receive the native IP tackle of the sufferer pc.
T1033 System Proprietor/Person Discovery  Vyveva backdoor can receive sufferer’s username.
T1124 System Time Discovery  Vyveva backdoor can receive system time and time zone.
Assortment  T1560.002 Archive Collected Knowledge: Archive by way of Library  Vyveva backdoor can compress recordsdata with zlib earlier than sending to C&C.
T1005 Knowledge from Native System  Vyveva backdoor can accumulate recordsdata from pc.
T1025 Knowledge from Detachable Media  Vyveva backdoor can notify C&C about newly inserted detachable media and accumulate recordsdata from them.
Command and Management  T1573.001 Encrypted Channel: Symmetric Cryptography  Vyveva backdoor encrypts C&C site visitors utilizing XOR.
T1573.002 Encrypted Channel: Uneven Cryptography  Vyveva backdoor communicates with C&C by way of Tor.
Exfiltration  T1041 Exfiltration Over C2 Channel  Vyveva exfiltrates information to C&C server.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.