cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Dwee
Level 9
Report Inappropriate Content
Message 1 of 6

New Malware lazarus variant Vyveva

Dear All,

 

does mcafee ENS (10.7) currently strong against attack from Vyveva ? the new ariant of lazarus,

i just got the news from here : https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-new-vyveva-malware-to-attack...

because our costumer want to make sure their environment is safe from this attack using mcafee ens,

 

SHA-1 Filename ESET detection name Description
DAD50AD3682A3F20B2F35BE2A94B89E2B1A73067 powerctl.exe Win32/NukeSped.HX Installer
69529EED679B0C7F1ACC1FD782A4B443CEC0CF83 powerctl.dll Win32/NukeSped.HX Loader (x86)
043ADDFB93A10D187DDE4999D78096077F26E9FD wwanauth.dll Win64/NukeSped.EQ Loader (x64)
1E3785FC4FE5AB8DAB31DDDD68257F9A7FC5BF59 wwansec.dll Win32/NukeSped.HX Loader (x86)
4D7ADD8145CB096359EBC3E4D44E19C2735E0377 msobjs.drx - Backdoor (encrypted)
92F5469DBEFDCEE1343934BE149AFC1241CC8497 msobjs.drx Win32/NukeSped.HX Backdoor (decrypted with fixed MZ header)
A5CE1DF767C89BF29D40DC4FA6EAECC9C8979552 JET76C5.tmp - Backdoor Tor library (encrypted)
66D17344A7CE55D05A324E1C6BE2ECD817E72680 JET76C5.tmp Win32/NukeSped.HY Backdoor Tor library (decrypted with fixed MZ header)
Filenames
%WINDIR%\System32\powerctl.exe
%WINDIR%\SysWOW64\powerctl.exe
%WINDIR%\System32\power.dat
%WINDIR%\SysWOW64\power.dat

 

thanks

Dwi

5 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: New Malware lazarus variant Vyveva

Hi @Dwee ,

I've lookedup those hash values but currently McAfee is unable to source the samples in public.

Incase these samples becomes available eventually, we shall review and add to coverage if malicious.

Thanks

Dwee
Level 9
Report Inappropriate Content
Message 3 of 6

Re: New Malware lazarus variant Vyveva

Hi Pravas,

thanks for your response, so in the mean time what do you suggest for the answer for me to give to my customer ? this one the lazarus one ? https://kc.mcafee.com/corporate/index?page=content&id=KB94170&locale=en_US 

or just say that the mcafee team still investigate for this new threat ?

 

vivs
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: New Malware lazarus variant Vyveva

Hello @Dwee 

Thanks for your post.

I would like to request you to please open a Service Request with Support Team.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Daveb3d
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

Re: New Malware lazarus variant Vyveva

You can drop in an Expert Rule to block those hashes if they are concerned.

 

Dave

Dwee
Level 9
Report Inappropriate Content
Message 6 of 6

Re: New Malware lazarus variant Vyveva

hi all thanks for you time,

 

sorry but i'm not very used to expert rule, any suggestion ?

 

thanks

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community