ESET researchers discover a new Lazarus backdoor deployed against a freight logistics firm in South Africa

ESET researchers have discovered a previously undocumented Lazarus backdoor used to attack a freight logistics company in South Africa, which they have dubbed Vyveva. The backdoor consists of multiple components and communicates with its C&C server via the Tor network. So far, we were able to find its installer, loader and main payload – a backdoor with a TorSocket DLL. The previously unknown attack was discovered in June 2020.

Although Vyveva has been used since at least December 2018, its initial compromise vector is still unknown. Our telemetry data suggests targeted deployment as we found only two victim machines, both of which are servers owned by a freight logistics company located in South Africa. The backdoor features capabilities for file exfiltration, timestomping, gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators. This indicates that the intent of the operation is most likely espionage.

This blogpost provides the first public, technical analysis of Vyveva’s components.

Attribution to Lazarus

Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET products as the NukeSped malware family. However, the similarities do not end there: the use of fake TLS in network communication, command line execution chains, and the way of using encryption and Tor services all point towards Lazarus; hence we can attribute Vyveva to this APT group with high confidence.

An example of the numerous code similarities can be seen in Figure 1 – resolving uniquely named Tor library exports.

  • 92F5469DBEFDCEE1343934BE149AFC1241CC8497 msobjs.drx Vyveva backdoor
  • BF98EA1326E5F8C351E68C79B5D1E0164C7BE728 taskhosts.exe Win32/NukeSped.HV trojan

Figure 1. Hex-Rays decompilation showing similarity between Vyveva (left) and NukeSped sample (right)

Technical analysis

Up until now, we have managed to find three of the multiple components comprising Vyveva – its installer, loader and backdoor. The installer is the earliest chronological stage found and since it expects other components to be already present on the machine, it suggests the existence of an earlier, unknown stage – a dropper. The loader serves to decrypt the backdoor using a simple XOR decryption algorithm.

Figure 2 provides a closer look at the functionality of the installer, the backdoor, and the Tor library.

Figure 2. Overview of Vyveva components

Installer

The main purposes of the installer are twofold: it creates a service that ensures persistence of the backdoor loader, and it stores the embedded, default backdoor configuration in the registry.

To create a legitimate-looking service, its attributes, such as service name and display name, are formed using a combination of words from the attributes of existing services, which are randomly selected. It is also possible to specify these attributes to the installer via command line parameters -‍dll, -svc, -disp, -desc, and -group. We observed the following in the wild, with these parameters:

<SYSDIR>powerctl.exe -svc powerctl -dll powerctl.dll

As for the latter task, the installer first sets the configuration infection ID, which uniquely identifies each victim, to a randomly generated value, and then stores it in the registry, as shown in Figure 3.

[HKLMSOFTWAREMicrosoftDirectX]
    UsageMask = <CONFIG_DATA>

Figure 3. Configuration registry value

One of the entries in the configuration is a list of encrypted C&C servers: for example, the installer sample we analyzed is configured with the following C&Cs:

  • 4bjt2rceijktwedi[.]onion:80
  • cwwpxpxuswo7b6tr[.]onion:80

Backdoor functionality

The backdoor, Vyveva’s main component, connects to C&C servers and executes commands issued by the threat actors. It features 23 commands, some of which are asynchronous and executed in their own threads. Most of them are ordinary commands for file and process operations or information gathering, but there is also a less common command for file timestomping. It can copy creation/write/access time metadata from a “donor” file to a destination file or use a random date in the years 2000—2004.

Other noteworthy commands are Vyveva’s file upload command, and command 0x26. The file upload command is capable of exfiltrating directories recursively and supports file extension filtering – for example, Office documents only. As for command 0x26, it indicates the existence of another, unknown component that we have not yet observed at the time of writing.

The full list of commands is shown in Table 1.

Table 1. Vyveva backdoor commands

IDDescription
0x03Reply to “ping” from server
0x10Get information about computer – username, computer name, IP, code page, OS version, OS architecture, tick count, time zone, current directory
0x11Get information about drives – type, size, name, serial number, filesystem type
0x12Write data to specified file, optionally timestomp.
0x13Upload specified file or directory
 • File – size, last write time, content
 • Directory stats – total files size, file count, directory count
  - For each entry – name, attributes
  - Directories – recurse into directories
  - Files – size, last write time, content

Options
 • Use compression for file content (zlib 1.2.5)
 • File extension filter (whitelist/blacklist)
 • Recursion flag

0x14Get listing of specified directory
 • name, attributes, write time
 • Directories – is nonempty
 • Files – size
0x15Set current directory to specified directory
0x16Create specified process
0x17Get information about running processes – PID, PPID, executable file path
0x18Terminate process(es) by PID or executable file path
0x19Create process with redirected output and upload the output
The command uses a format string which hints at execution through cmd.exe
 • “%param0% /c “%param1% > %tmp_fpath%” 2>&1″
If the output is empty, unique string “x0Dx0A” is uploaded instead
0x1ADelete specified path. File deletion methods:
 • delete only
 • overwrite & move & delete
0x1BCopy creation/write/access time metadata from source file or directory to destination file or directory.
If the source doesn’t exist, random time in year 2000-2004 is used for creation & last write time, access time is unchanged.
0x1CGet info about specified path:
 • File – attributes, creation/write/access time, type, size
 • Directory / Drive – total files size, file count, directory count (with optional extension filtering and recursion)
0x1DSet current configuration blob, save to registry
0x1EGet current configuration blob
0x1FEnable/disable drive watchdog (configuration field enable_drive_watchdog)
0x20Enable/disable session watchdog (configuration field enable_session_watchdog)
0x21Set configuration value related to delay of backdoor execution (configuration field delay_until_time)
0x23Store data used by asynchronous command (related to commands 0x12, 0x13)
0x24Stop executing asynchronous command (related to commands 0x12, 0x13)
0x25Set configuration value related to delay between failed C&C connection attempts (configuration field wait_minutes)
0x26If <SYSDIR>wsdchngr.drx exists
 • Delete configuration registry value
 • Delete backdoor file (self delete)
 • Delete loader file
 • Read, decrypt, PE-load wsdchngr.drx and call SamIPromote export in a new thread
 • Exit current thread

Of particular interest are the backdoor’s watchdogs, which can be optionally enabled or disabled. There is a drive watchdog used to monitor newly connected and disconnected drives, and a session watchdog monitoring the number of active sessions (i.e. logged-on users). These components can trigger a connection to the C&C server outside the regular, preconfigured three-minute interval, and on new drive and session events.

Configuration

The configuration of the backdoor, which is initially set by the installer, is read from the registry value (shown in Figure 3). When the configuration is modified by a C&C command, the value stored in the registry is updated. An example configuration and its structure are shown in Figure 4.

Figure 4. Configuration structure and annotated example

The wait_minutes field specifies the time to wait before next connection to the C&C after a failed connection attempt. If the execution of the backdoor needs to be delayed until a particular time and date, it can be specified in the delay_until_time field. The encrypted_cncs field is an encrypted string, which contains semicolon-separated C&Cs.

Tor library

Vyveva uses the Tor library, which is based on the official Tor source code, to communicate with a C&C server selected at random from the configuration.  It contacts the C&C at three-minute intervals, sending information about the victim computer and its drives before receiving commands. The backdoor’s export directory contains the TorSocket.dll with self-explanatory exports close_ch, connect_ch, open_ch, read_ch, write_ch.

Conclusion

Vyveva constitutes yet another addition to Lazarus’s extensive malware arsenal. Attacking a company in South Africa also illustrates the broad geographical targeting of this APT group.

For any inquiries, or to make sample submissions related to the subject, contact us at [email protected]

Indicators of Compromise (IoCs)

Samples

SHA-1FilenameESET detection nameDescription
DAD50AD3682A3F20B2F35BE2A94B89E2B1A73067powerctl.exeWin32/NukeSped.HXInstaller
69529EED679B0C7F1ACC1FD782A4B443CEC0CF83powerctl.dllWin32/NukeSped.HXLoader (x86)
043ADDFB93A10D187DDE4999D78096077F26E9FDwwanauth.dllWin64/NukeSped.EQLoader (x64)
1E3785FC4FE5AB8DAB31DDDD68257F9A7FC5BF59wwansec.dllWin32/NukeSped.HXLoader (x86)
4D7ADD8145CB096359EBC3E4D44E19C2735E0377msobjs.drxBackdoor (encrypted)
92F5469DBEFDCEE1343934BE149AFC1241CC8497msobjs.drxWin32/NukeSped.HXBackdoor (decrypted with fixed MZ header)
A5CE1DF767C89BF29D40DC4FA6EAECC9C8979552JET76C5.tmpBackdoor Tor library (encrypted)
66D17344A7CE55D05A324E1C6BE2ECD817E72680JET76C5.tmpWin32/NukeSped.HYBackdoor Tor library (decrypted with fixed MZ header) 

Filenames

%WINDIR%System32powerctl.exe
%WINDIR%SysWOW64powerctl.exe
%WINDIR%System32power.dat
%WINDIR%SysWOW64power.dat

%WINDIR%System32wwanauth.dll
%WINDIR%SysWOW64wwanauth.dll
%WINDIR%System32wwansec.dll
%WINDIR%SysWOW64wwansec.dll
%WINDIR%System32powerctl.dll
%WINDIR%SysWOW64powerctl.dll

%WINDIR%System32JET76C5.tmp
%WINDIR%SysWOW64JET76C5.tmp
%WINDIR%System32msobjs.drx
%WINDIR%SysWOW64msobjs.drx

MITRE ATT&CK techniques

This table was built using version 8 of the MITRE ATT&CK framework.

Tactic  ID  Name  Description  
Execution T1569.002System Services: Service Execution Vyveva loader executes via a service.
T1106Native API Vyveva backdoor uses the CreateProcessA API to execute files.
Persistence T1543.003Create or Modify System Process: Windows Service Vyveva installer creates a new service to establish persistence for its loader.
Defense Evasion T1140Deobfuscate/Decode Files or Information Vyveva decrypts strings and components (backdoor, Tor library).
T1070.006Indicator Removal on Host: Timestomp Vyveva backdoor can timestomp files.
T1036.004Masquerading: Masquerade Task or Service Vyveva installer can create a service with attributes mimicking existing services.
T1112Modify Registry Vyveva stores its configuration in the registry. 
T1027Obfuscated Files or Information Vyveva has encrypted strings and components.
Discovery T1083File and Directory Discovery Vyveva backdoor can obtain file and directory listings.
T1057Process Discovery Vyveva backdoor can list running processes.
T1082System Information Discovery Vyveva backdoor can obtain system information, including computer name, ANSI code page, OS version and architecture.
T1016System Network Configuration Discovery Vyveva backdoor can obtain the local IP address of the victim computer.
T1033System Owner/User Discovery Vyveva backdoor can obtain victim’s username.
T1124System Time Discovery Vyveva backdoor can obtain system time and time zone.
Collection T1560.002Archive Collected Data: Archive via Library Vyveva backdoor can compress files with zlib before sending to C&C.
T1005Data from Local System Vyveva backdoor can collect files from computer.
T1025Data from Removable Media Vyveva backdoor can notify C&C about newly inserted removable media and collect files from them.
Command and Control T1573.001Encrypted Channel: Symmetric Cryptography Vyveva backdoor encrypts C&C traffic using XOR.
T1573.002Encrypted Channel: Asymmetric Cryptography Vyveva backdoor communicates with C&C via Tor.
Exfiltration T1041Exfiltration Over C2 Channel Vyveva exfiltrates data to C&C server.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here