Vyveva Backdoor Trojan

A previously unknown backdoor Trojan threat named Vyveva has been discovered by cybersecurity researchers. The threat is comprised of multiple different components with only three being analyzed so far - the installer, loader, and main payload. Certain circumstantial evidence points towards Vyveva being a part of the malware arsenal of the Lazarus APT (Advanced Persistent Threat) group. Although it is believed that the Vyveva Backdoor Trojan has been used since at least 2018, so far only two systems infected with it have been detected. Both of the compromised devices belong to a freight logistics company from South Africa.

Vyveva's Attack Chain

The initial compromise vector used in the attack hasn't been confirmed but the threat was most likely delivered through a highly targeted operation. The earliest component in the attack chain that has been discovered is the malware's installer but it expects to find certain other components already present on the system suggesting that there exists an earlier stage dropper. The installer has two main tasks - establishing the persistence mechanism for the backdoor loader and embedding the default backdoor configuration into the system's registry.

The main threatening component of Vyvevva is responsible for connecting to the Command-and-Control (C2, C&C) servers of the operation and executing any commands received from the threat actor. Vyveva can recognize a total of 23 commands with most of them being related to manipulating the file system and process operations or gathering information. However, there are some commands that stand out. For example, Vyvevva is capable of file timestamping. If this command is received, the threat will copy creation/write/access time metadata from a source file to a destination file. If such a source file cannot be found, a random date between 2000 and 2004 will be chosen instead.

The file upload command also has some interesting characteristics. The threat actor can choose to exfiltrate selected directories recursively while also filtering certain file extensions, either uploading only files with the specific extension or excluding them from the process. A particular command designated as 0x26 points towards an unknown component that so far hasn't been observed.

Lazarus Connection

Despite the extremely narrow scope of the operation, certain Vyveva aspects place the threat as part of the tools employed by the Lazarus APT. The backdoor shares multiple code similarities with older malware threats from the hacker group such as the NukeSped malware family. Furthermore, certain command-line execution chains and the user of fake TLS in the network communication have also been previously observed Lazarus techniques. Overlaps can also be found in the implementation of Vyveda's encryption and Tor services.