1. Home
  2. Software
  3. Volgmer

Volgmer

Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. [1]

ID: S0180
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 16 January 2018
Last Modified: 10 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .004 伪装: Masquerade Task or Service

Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.[2][3]
Enterprise T1112 修改注册表

Volgmer modifies the Registry to store an encoded configuration file in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security.[2][3]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings.[1][2][3]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

Volgmer uses a simple XOR cipher to encrypt traffic and files.[2]
.002 加密通道: Asymmetric Cryptography

Some Volgmer variants use SSL to encrypt C2 communications.[1]
Enterprise T1140 反混淆/解码文件或信息

Volgmer deobfuscates its strings and APIs once its executed.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Volgmer can execute commands on the victim's machine.[1][2]
Enterprise T1083 文件和目录发现

Volgmer can list directories on a victim.[1]
Enterprise T1106 本机API

Volgmer executes payloads using the Windows API call CreateProcessW().[2]
Enterprise T1012 查询注册表

Volgmer checks the system for certain Registry keys.[2]
Enterprise T1027 .011 混淆文件或信息: Fileless Storage

Volgmer stores an encoded configuration file in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security.[1][3]
.013 混淆文件或信息: Encrypted/Encoded File

A Volgmer variant is encoded using a simple XOR cipher.[2]
Enterprise T1070 .004 移除指标: File Deletion

Volgmer can delete files and itself after infection to avoid analysis.[2]
Enterprise T1082 系统信息发现

Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.[1][2][3]
Enterprise T1007 系统服务发现

Volgmer queries the system to identify existing services.[1]
Enterprise T1049 系统网络连接发现

Volgmer can gather information about TCP connection state.[3]
Enterprise T1016 系统网络配置发现

Volgmer can gather the IP address from the victim's machine.[3]
Enterprise T1105 输入工具传输

Volgmer can download remote files and additional payloads to the victim's machine.[1][2][3]
Enterprise T1057 进程发现

Volgmer can gather a list of processes.[3]

Groups That Use This Software

ID Name References
G0032 Lazarus Group

[1]

References

  1. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  2. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  1. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.