Security News > 2021 > April > North Korean hackers use new Vyveva malware to attack freighters
The North Korean-backed Lazarus hacking group used new malware with backdoor capabilities dubbed Vyveva n targeted attacks against a South African freight logistics company.
Vyveva was first used in a June 2020 attack as ESET researchers discovered, but further evidence shows Lazarus has been deploying it in previous attacks going back to at least December 2018.
The malware comes with an extensive set of cyber-espionage capabilities allowing Lazarus operators to harvest and exfiltrate files from infected systems to servers under their control using the Tor anonymous network as a secure communication channel.
While the backdoor will connect to its command-and-control server once every three minutes, it also uses watchdogs designed to keep track of newly connected drives or the active user sessions to trigger new C2 connections on new session or drive events.
"Vyveva constitutes yet another addition to Lazarus's extensive malware arsenal," Jurčacko added.
Indicators of compromise, including Vyveva sample hashes used during attacks targeting the South African freight company, are available at the end of ESET's report.
News URL
Related news
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- North Korean Hackers Deploy OtterCookie Malware in Contagious Interview Campaign (source)
- Salt Typhoon hackers backdoor telcos with new GhostSpider malware (source)
- Chinese Hackers Use GHOSTSPIDER Malware to Hack Telecoms Across 12+ Countries (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware (source)
- Radiant links $50 million crypto heist to North Korean hackers (source)
- New IOCONTROL malware used in critical infrastructure attacks (source)