South African freight firm allegedly targeted by Lazarus

Share on facebook
Share on twitter
Share on linkedin
Share on email

An attack on a South African freight logistics company has led researchers at ESET to a new backdoor that is potentially being used by the Lazarus Group.

As a primer, the Lazarus Group is a collective of hackers believed to be headquartered in North Korea. The group has been linked to massive data breaches at Sony and was even accused of spreading the WannaCry ransomware in 2017.

Circling back to the backdoor discovered by ESET, it’s believed that the previously undocumented malware has been in play since at least December 2018. ESET has named the backdoor Vyveva.

Vyveva consists of a number of components and it communicates with command and control server using the Tor network. The cybersecurity firm has managed to find the installer, loader and the main payload (a backdoor with a TorSocket DLL) since first discovering the backdoor in June 2020.

“Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET products as the NukeSped malware family. However, the similarities do not end there: the use of fake TLS in network communication, command line execution chains, and the way of using encryption and Tor services all point towards Lazarus; hence we can attribute Vyveva to this APT group with high confidence,” writes malware analyst at ESET Filip Jurčacko.

The malware is able to extract data directories and can even filter directories to look for specific file types. There are as many as 23 commands an attacker can issue using Vyveva including deleting files, watch a target’s drives and more.

ESET didn’t disclose the name of the firm which had been attacked, but the fact that a supposedly North Korean hacking collective is targeting a South African firm should be cause for concern.

While ESET says that targeting a South African firm, “illustrates the broad geographical targeting of this APT group,” we are concerned that Lazarus Group chose this firm because it was a soft target.

This news does serve as a grave reminder that cybersecurity professionals can only do so much when there are many more ne’er-do-wells than there are good guys fighting cybercrime.

[Image – CC 0 Pixabay]

Brendyn Lotz

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.