RAT
Vyveva RAT
Vyveva is a remote access trojan that uses the Tor library for communication with C&C.
Vyveva is a remote access trojan that uses the Tor library for communication with C&C. Its use of fake TLS for camouflaging the network traffic is one of the typical Lazarus traits.
It uses a simple XOR for encryption of its configuration and network traffic.
It sends detailed information about the victim's environment, like computer name, user name, IP, code page, Windows version, architecture, and time zone.
It supports more than 20 commands that include operations on the victim’s filesystem, basic process management, command line execution, file exfiltration, and the download and memory execution of an additional DLL from the C&C (by calling the expected export SamIPromote). As in many RATs from Lazarus arsenal, the commands are indexed by 32-bit integers. The lowest index is 0x3, followed by 0x10, which goes incrementally up to 0x26. Also, it can monitor newly connected drives and the number of logged-on users.
It has MPRD.dll as the internal DLL name, and a single export SamIInitialize.
Vyveva RAT was used in an attack against a freight logistics company in South Africa in June 2020.
Family metadata imported from Malpedia (Fraunhofer FKIE).