North Korean-backed Lazarus Group Attack Freighters With New Vyveva Malware

North Korean-back Lazarus Group has been using a new malware with backdoor capabilities in an ongoing campaign against South African freighters and logistics companies. The malware, dubbed Vyveva, was first reported on by researchers at ESAT last year. While Vyveva was only found on a handful of freighters by ESAT, it is understood that the malware has infected several ships that have yet to be reported.

The Vyveva malware comes with an extensive toolkit, allowing Lazarus Group operators to harvest and exfiltrate files from infected systems to servers under their control using the Tor anonymous network as a secure communication channel.

Lazarus Group can also use the malware to delivery and execute malicious code on any compromised system on the target network, making propagation a big threat in the campaign.

According to BleepingComputer, Vyveva boasts many other features, including support for timestomping commands, which allows its operators to manipulate any file’s date using metadata from other files on the system or by setting a random date between 2000 and 2004 to hide new or modified files.

“While the backdoor will connect to its command-and-control (C2) server once every three minutes, it also uses watchdogs designed to keep track of newly connected drives or the active user sessions to trigger new C2 connections on a new session or drive events.” BleepingComputer reported.

ESAT noted several similarities between Vyveva and other malware strains developed by Lazarus Group. The use of a fake TLS protocol in network communication, command-line execution chains, and the methods of using encryption and Tor services are all evidence of a Lazarus Group attack.

On the geographic scale of the attack, security researcher Filip Jurčacko said, “Vyveva constitutes yet another addition to Lazarus Group’s extensive malware arsenal. Attacking a company in South Africa also illustrates the broad geographical targeting of this APT group.”

Vyveva Malware Analysis

Much of this analysis was carried out by ESAT, and reported through welivesecurity.

As mentioned, there are a number of similarities between Vyveva and other Lazarus Group Malware strains. This is most notable when compared with the NukeSped remote-access-trojan.

Comparison of Vyveva and NukeSped, courtesy of welivesecurity

ESAT have found three of the multiple components comprising Vyveva – its installer, loader and backdoor. The installer is the earliest chronological stage found and since it expects other components to be already present on the machine, it suggests the existence of an earlier, unknown stage – a dropper. The loader serves to decrypt the backdoor using a simple XOR decryption algorithm.

Vyveva Components

The installer creates a service that ensures the persistence of the backdoor, as well as storing the backdoor configuration in the registry. The malware aims to create legitimate-looking services by taking combinations of words from existing services randomly selected.

The installer will first set the configuration infection ID, which is unique for each victim. This is also stored in the registry, along with a configuration for the encrypted C&C servers.

The backdoor is Vyveva’s main component. It connects to the C&C and executes commands from Lazarus Group, featuring 23 different commands. Most of them are ordinary commands for file and process operations or information gathering, but there is also a less common command for file timestomping.

The configuration of the backdoor, which is initially set by the installer, is read from the registry value. When the configuration is modified by a C&C command, the value stored in the registry is updated.

Config File from welivesecurity

Lazarus Group; Veteran Threat Actors

Lazarus Group first came into the public spotlight when they carried out Operation Troy, which ran between 2009 and 2012.

Operation Troy was a series of distributed denial-of-service (DDos) attacks targeting government establishments in Seoul, South Korea.

Lazarus Group made the news again, identifying themselves as ‘Guardians of Peace’, in November 2014 for carrying out the Sony Pictures hack. During the attack, confidential data of many Sony Pictures employees were released, and initially circulated on Reddit. This attack is notable in the history of Lazarus Group; it was carried out in a sophisticated and complex manner, showing the group were now developing their skills rapidly.

Lazarus Group have also been responsible for a number of digital bank-heists; and the amount seized is believed to be at least $97 million.

The WannaCry ransomware attack of 2017, which saw a number of healthcare systems including the NHS in the UK brought to a halt, is believed but not confirmed to have been carried out by Lazarus Group.

Recently, Lazarus Group are involved in a number of additional attacks, notable the late-2020 pharmaceutical company attacks. By using spear-phishing methods, members of Lazarus Group acted as health officials and reached out to a number of pharmaceutical companies. Once trust was gained, Lazarus Group sent a number of malicious links to the companies. It is unconfirmed what the goal of the attack was, but it is suspected that they were looking to sell data for profit, extort the companies and their employees, and give foreign entities access to proprietary COVID-19 Research.


Organizations like Lazarus Group show that there are few industries that malware cannot affect. Business owners should be vigilant in their cybersecurity suite and use proactive tools in the fight against malware. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *