A backdoor Trojan, Volgmer designed to provide covert access to a compromised system. Since 2013, HIDDEN COBRA actors observe using Volgmer malware in the wild to target the government, financial, automotive, and media industries.
The Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with Volgmer identified as a result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI).The U.S. Government refers these malicious cyber activity by the North Korean government as the HIDDEN COBRA.
Spear phishing is the primary delivery mechanism for Volgmer infections. Moreover, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to compromise a system initially. Therefore, there is a possibility of additional HIDDEN COBRA malware present on network infrastructure compromised with Volgmer.
The U.S. Government has examined Volgmer’s infrastructure and has identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were recognized, as well as dynamic IP addresses registered across various countries.
The highest concentrations of dynamic IPs addresses are identified below by approximate percentage:
As a backdoor Trojan, Volgmer has numerous capabilities including gathering system information, downloading and uploading files, updating service registry keys, executing commands, terminating processes, and listing directories.
The United States Computer Emergency Readiness Team, US-CERT Code Analysis Team observed botnet controller functionality in one of the samples received for analysis.
Volgmer payloads seen in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads executing Secure Socket Layer (SSL) encryption to obfuscate communications.
Malicious actors install the malware-as-a-service and maintain persistence on victim’s system. Volgmer queries the system and randomly chooses a service in which to install a copy of itself. The malware overwrites the ServiceDLL entry in the selected service’s registry entry.
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include.
The Department of Homeland Security, DHS recommends users and administrators to use the following best practices as defensive actions to protect their computer networks:
- Use application whitelisting to block malicious software and unauthorized programs from executing. Application whitelisting is one of the best security strategies as it permits only specified programs to run while blocking all others, including malicious software.
- Operating systems and software should be up-to-date with the latest patches. The targets of most attacks include vulnerable applications and operating systems. Patching with the latest updates reduces the number of exploitable entry points dramatically, available to an attacker.
- Antivirus software should be up-to-date, and scan all software downloaded from the Internet before executing.
- Permissions to install and run unwanted software applications can be restricted and apply the principle of “least privilege” to all systems and services. Restricting these rights may prevent malware from running or limit its capability to spread through the network.
- Avoid authorizing macros from email attachments. If a user opens the attachment and enables macros, embedded code execute the malware on the machine. It may be best to prevent email messages with attachments from suspicious sources for enterprises or organizations.
- Do not follow suspicious web links in emails.