Vyveva RAT (Malware Family)

Vyveva RAT

VTCollection

Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.

It uses a simple XOR for encryption of its configuration and network traffic.

It sends detailed information about the victim's environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.

It supports more than 20 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.

It has MPRD.dll as the internal DLL name, and a single export SamIInitialize.

Vyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.

References

2021-04-08 ⋅ ESET Research ⋅ Filip Jurčacko
(Are you) afreight of the dark? Watch out for Vyveva, new Lazarus backdoor
Vyveva RAT

Yara Rules

[TLP:WHITE] win_vyveva_auto (20230808 | Detects win.vyveva.)

rule win_vyveva_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.vyveva."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.vyveva"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 58 ff7008 5a 8916 3b4808 7405 }
            // n = 6, score = 100
            //   58                   | pop                 eax
            //   ff7008               | push                dword ptr [eax + 8]
            //   5a                   | pop                 edx
            //   8916                 | mov                 dword ptr [esi], edx
            //   3b4808               | cmp                 ecx, dword ptr [eax + 8]
            //   7405                 | je                  7

        $sequence_1 = { 51 8f00 8b4c2408 85c9 7407 51 8f4004 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   8f00                 | pop                 dword ptr [eax]
            //   8b4c2408             | mov                 ecx, dword ptr [esp + 8]
            //   85c9                 | test                ecx, ecx
            //   7407                 | je                  9
            //   51                   | push                ecx
            //   8f4004               | pop                 dword ptr [eax + 4]

        $sequence_2 = { 57 56 51 55 59 e8???????? ff30 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   56                   | push                esi
            //   51                   | push                ecx
            //   55                   | push                ebp
            //   59                   | pop                 ecx
            //   e8????????           |                     
            //   ff30                 | push                dword ptr [eax]

        $sequence_3 = { 56 59 50 e8???????? 8d8c2494010000 6a04 }
            // n = 6, score = 100
            //   56                   | push                esi
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d8c2494010000       | lea                 ecx, [esp + 0x194]
            //   6a04                 | push                4

        $sequence_4 = { 740a 394424fc 7404 894424fc 83ec04 5d 83fdff }
            // n = 7, score = 100
            //   740a                 | je                  0xc
            //   394424fc             | cmp                 dword ptr [esp - 4], eax
            //   7404                 | je                  6
            //   894424fc             | mov                 dword ptr [esp - 4], eax
            //   83ec04               | sub                 esp, 4
            //   5d                   | pop                 ebp
            //   83fdff               | cmp                 ebp, -1

        $sequence_5 = { 83ec38 8b15???????? 8d442404 55 56 }
            // n = 5, score = 100
            //   83ec38               | sub                 esp, 0x38
            //   8b15????????         |                     
            //   8d442404             | lea                 eax, [esp + 4]
            //   55                   | push                ebp
            //   56                   | push                esi

        $sequence_6 = { 2bce 59 7409 33c9 8d4c0e04 83e904 ff5004 }
            // n = 7, score = 100
            //   2bce                 | sub                 ecx, esi
            //   59                   | pop                 ecx
            //   7409                 | je                  0xb
            //   33c9                 | xor                 ecx, ecx
            //   8d4c0e04             | lea                 ecx, [esi + ecx + 4]
            //   83e904               | sub                 ecx, 4
            //   ff5004               | call                dword ptr [eax + 4]

        $sequence_7 = { 6a00 52 50 6a06 e8???????? 83c404 ffd0 }
            // n = 7, score = 100
            //   6a00                 | push                0
            //   52                   | push                edx
            //   50                   | push                eax
            //   6a06                 | push                6
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   ffd0                 | call                eax

        $sequence_8 = { 59 c644247801 e8???????? 8b4c2434 8b442430 8d542428 894c242c }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   c644247801           | mov                 byte ptr [esp + 0x78], 1
            //   e8????????           |                     
            //   8b4c2434             | mov                 ecx, dword ptr [esp + 0x34]
            //   8b442430             | mov                 eax, dword ptr [esp + 0x30]
            //   8d542428             | lea                 edx, [esp + 0x28]
            //   894c242c             | mov                 dword ptr [esp + 0x2c], ecx

        $sequence_9 = { 7408 c70100000000 0101 83c008 85c0 7403 55 }
            // n = 7, score = 100
            //   7408                 | je                  0xa
            //   c70100000000         | mov                 dword ptr [ecx], 0
            //   0101                 | add                 dword ptr [ecx], eax
            //   83c008               | add                 eax, 8
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   55                   | push                ebp

    condition:
        7 of them and filesize < 360448
}

Download all Yara Rules

Vyveva RAT Propose Change

References

Yara Rules

Vyveva RAT