ESET researchers uncover a brand new Lazarus backdoor deployed in opposition to a freight logistics agency in South Africa
ESET researchers have found a beforehand undocumented Lazarus backdoor used to assault a freight logistics firm in South Africa, which they’ve dubbed Vyveva. The backdoor consists of a number of parts and communicates with its C&C server by way of the Tor community. To date, we had been capable of finding its installer, loader and most important payload – a backdoor with a TorSocket DLL. The beforehand unknown assault was found in June 2020.
Though Vyveva has been used since at the very least December 2018, its preliminary compromise vector continues to be unknown. Our telemetry information suggests focused deployment as we discovered solely two sufferer machines, each of that are servers owned by a freight logistics firm situated in South Africa. The backdoor options capabilities for file exfiltration, timestomping, gathering details about the sufferer pc and its drives, and different widespread backdoor performance akin to working arbitrary code specified by the malware’s operators. This means that the intent of the operation is almost definitely espionage.
This blogpost supplies the primary public, technical evaluation of Vyveva’s parts.
Attribution to Lazarus
Vyveva shares a number of code similarities with older Lazarus samples which might be detected by ESET merchandise because the NukeSped malware household. Nonetheless, the similarities don’t finish there: using pretend TLS in community communication, command line execution chains, and the way in which of utilizing encryption and Tor providers all level in the direction of Lazarus; therefore we are able to attribute Vyveva to this APT group with excessive confidence.
An instance of the quite a few code similarities could be seen in Determine 1 – resolving uniquely named Tor library exports.
- 92F5469DBEFDCEE1343934BE149AFC1241CC8497 msobjs.drx Vyveva backdoor
- BF98EA1326E5F8C351E68C79B5D1E0164C7BE728 taskhosts.exe Win32/NukeSped.HV trojan
Up till now, we have now managed to seek out three of the a number of parts comprising Vyveva – its installer, loader and backdoor. The installer is the earliest chronological stage discovered and because it expects different parts to be already current on the machine, it suggests the existence of an earlier, unknown stage – a dropper. The loader serves to decrypt the backdoor utilizing a easy XOR decryption algorithm.
Determine 2 supplies a more in-depth have a look at the performance of the installer, the backdoor, and the Tor library.
The primary functions of the installer are twofold: it creates a service that ensures persistence of the backdoor loader, and it shops the embedded, default backdoor configuration within the registry.
To create a legitimate-looking service, its attributes, akin to service title and show title, are fashioned utilizing a mix of phrases from the attributes of current providers, that are randomly chosen. Additionally it is doable to specify these attributes to the installer by way of command line parameters -dll, -svc, -disp, -desc, and -group. We noticed the next within the wild, with these parameters:
As for the latter process, the installer first units the configuration an infection ID, which uniquely identifies every sufferer, to a randomly generated worth, after which shops it within the registry, as proven in Determine 3.
Determine 3. Configuration registry worth
One of many entries within the configuration is a listing of encrypted C&C servers: for instance, the installer pattern we analyzed is configured with the next C&Cs:
The backdoor, Vyveva’s most important part, connects to C&C servers and executes instructions issued by the risk actors. It options 23 instructions, a few of that are asynchronous and executed in their very own threads. Most of them are unusual instructions for file and course of operations or info gathering, however there’s additionally a much less widespread command for file timestomping. It might copy creation/write/entry time metadata from a “donor” file to a vacation spot file or use a random date within the years 2000—2004.
Different noteworthy instructions are Vyveva’s file add command, and command 0x26. The file add command is able to exfiltrating directories recursively and helps file extension filtering – for instance, Workplace paperwork solely. As for command 0x26, it signifies the existence of one other, unknown part that we have now not but noticed on the time of writing.
The complete record of instructions is proven in Desk 1.
Desk 1. Vyveva backdoor instructions
|0x03||Reply to “ping” from server|
|0x10||Get details about pc – username, pc title, IP, code web page, OS model, OS structure, tick rely, time zone, present listing|
|0x11||Get details about drives – kind, measurement, title, serial quantity, filesystem kind|
|0x12||Write information to specified file, optionally timestomp.|
|0x13||Add specified file or listing
• File – measurement, final write time, content material
• Listing stats – whole recordsdata measurement, file rely, listing rely
- For every entry – title, attributes
- Directories – recurse into directories
- Information – measurement, final write time, content material
|0x14||Get itemizing of specified listing
• title, attributes, write time
• Directories – is nonempty
• Information – measurement
|0x15||Set present listing to specified listing|
|0x16||Create specified course of|
|0x17||Get details about working processes – PID, PPID, executable file path|
|0x18||Terminate course of(es) by PID or executable file path|
|0x19||Create course of with redirected output and add the output
The command makes use of a format string which hints at execution via cmd.exe
• “%param0% /c “%param1% > %tmp_fpath%” 2>&1″
If the output is empty, distinctive string “
|0x1A||Delete specified path. File deletion strategies:
• delete solely
• overwrite & transfer & delete
|0x1B||Copy creation/write/entry time metadata from supply file or listing to vacation spot file or listing.
If the supply doesn’t exist, random time in yr 2000-2004 is used for creation & final write time, entry time is unchanged.
|0x1C||Get information about specified path:
• File – attributes, creation/write/entry time, kind, measurement
• Listing / Drive – whole recordsdata measurement, file rely, listing rely (with elective extension filtering and recursion)
|0x1D||Set present configuration blob, save to registry|
|0x1E||Get present configuration blob|
|0x1F||Allow/disable drive watchdog (configuration area enable_drive_watchdog)|
|0x20||Allow/disable session watchdog (configuration area enable_session_watchdog)|
|0x21||Set configuration worth associated to delay of backdoor execution (configuration area delay_until_time)|
|0x23||Retailer information utilized by asynchronous command (associated to instructions 0x12, 0x13)|
|0x24||Cease executing asynchronous command (associated to instructions 0x12, 0x13)|
|0x25||Set configuration worth associated to delay between failed C&C connection makes an attempt (configuration area wait_minutes)|
• Delete configuration registry worth
• Delete backdoor file (self delete)
• Delete loader file
• Learn, decrypt, PE-load wsdchngr.drx and name SamIPromote export in a brand new thread
• Exit present thread
Of explicit curiosity are the backdoor’s watchdogs, which could be optionally enabled or disabled. There’s a drive watchdog used to observe newly linked and disconnected drives, and a session watchdog monitoring the variety of energetic classes (i.e. logged-on customers). These parts can set off a connection to the C&C server outdoors the common, preconfigured three-minute interval, and on new drive and session occasions.
The configuration of the backdoor, which is initially set by the installer, is learn from the registry worth (proven in Determine 3). When the configuration is modified by a C&C command, the worth saved within the registry is up to date. An instance configuration and its construction are proven in Determine 4.
The wait_minutes area specifies the time to attend earlier than subsequent connection to the C&C after a failed connection try. If the execution of the backdoor must be delayed till a specific time and date, it may be specified within the delay_until_time area. The encrypted_cncs area is an encrypted string, which accommodates semicolon-separated C&Cs.
Vyveva makes use of the Tor library, which is predicated on the official Tor supply code, to speak with a C&C server chosen at random from the configuration. It contacts the C&C at three-minute intervals, sending details about the sufferer pc and its drives earlier than receiving instructions. The backdoor’s export listing accommodates the TorSocket.dll with self-explanatory exports close_ch, connect_ch, open_ch, read_ch, write_ch.
Vyveva constitutes yet one more addition to Lazarus’s intensive malware arsenal. Attacking an organization in South Africa additionally illustrates the broad geographical concentrating on of this APT group.
For any inquiries, or to make pattern submissions associated to the topic, contact us at [email protected]
Indicators of Compromise (IoCs)
|SHA-1||Filename||ESET detection title||Description|
|92F5469DBEFDCEE1343934BE149AFC1241CC8497||msobjs.drx||Win32/NukeSped.HX||Backdoor (decrypted with fastened MZ header)|
|A5CE1DF767C89BF29D40DC4FA6EAECC9C8979552||JET76C5.tmp||–||Backdoor Tor library (encrypted)|
|66D17344A7CE55D05A324E1C6BE2ECD817E72680||JET76C5.tmp||Win32/NukeSped.HY||Backdoor Tor library (decrypted with fastened MZ header)|
MITRE ATT&CK strategies
This desk was constructed utilizing version 8 of the MITRE ATT&CK framework.
|Execution||T1569.002||System Companies: Service Execution||Vyveva loader executes by way of a service.|
|T1106||Native API||Vyveva backdoor makes use of the CreateProcessA API to execute recordsdata.|
|Persistence||T1543.003||Create or Modify System Course of: Home windows Service||Vyveva installer creates a brand new service to determine persistence for its loader.|
|Protection Evasion||T1140||Deobfuscate/Decode Information or Data||Vyveva decrypts strings and parts (backdoor, Tor library).|
|T1070.006||Indicator Removing on Host: Timestomp||Vyveva backdoor can timestomp recordsdata.|
|T1036.004||Masquerading: Masquerade Process or Service||Vyveva installer can create a service with attributes mimicking current providers.|
|T1112||Modify Registry||Vyveva shops its configuration within the registry.|
|T1027||Obfuscated Information or Data||Vyveva has encrypted strings and parts.|
|Discovery||T1083||File and Listing Discovery||Vyveva backdoor can receive file and listing listings.|
|T1057||Course of Discovery||Vyveva backdoor can record working processes.|
|T1082||System Data Discovery||Vyveva backdoor can receive system info, together with pc title, ANSI code web page, OS model and structure.|
|T1016||System Community Configuration Discovery||Vyveva backdoor can receive the native IP tackle of the sufferer pc.|
|T1033||System Proprietor/Person Discovery||Vyveva backdoor can receive sufferer’s username.|
|T1124||System Time Discovery||Vyveva backdoor can receive system time and time zone.|
|Assortment||T1560.002||Archive Collected Knowledge: Archive by way of Library||Vyveva backdoor can compress recordsdata with zlib earlier than sending to C&C.|
|T1005||Knowledge from Native System||Vyveva backdoor can accumulate recordsdata from pc.|
|T1025||Knowledge from Detachable Media||Vyveva backdoor can notify C&C about newly inserted detachable media and accumulate recordsdata from them.|
|Command and Management||T1573.001||Encrypted Channel: Symmetric Cryptography||Vyveva backdoor encrypts C&C site visitors utilizing XOR.|
|T1573.002||Encrypted Channel: Uneven Cryptography||Vyveva backdoor communicates with C&C by way of Tor.|
|Exfiltration||T1041||Exfiltration Over C2 Channel||Vyveva exfiltrates information to C&C server.|