Volgmer is a backdoor trojan used by the threat group associated with the North Korean government, known as HIDDEN COBRA or Lazarus Group, since at least 2013 to maintain a presence on and further exploitation of the networks of organizations in the government, financial, automotive, and media industries. It is believed that the threat actors spread this trojan via spearphishing emails; however, it may also be spread by a first-stage malware. Volgmer payloads have been delivered as executables and dynamic-link library (.dll) files. The malware communicates with its C2 server either through a custom binary protocol via TCP port 8080 or 8088 or by implementing Secure Socket Layer (SSL) encryption.
Volgmer can perform the following functions:
- Gather system information
- Update service registry keys
- Download and upload files
- Execute commands
- Terminate processes
- List directories
- Control botnets
Successful network intrusion could result in the following impacts:
- Temporary or permanent loss of sensitive or proprietary information,
- Disruption to regular operations,
- Financial losses incurred to restore systems and files, and
- Potential harm to an organization’s reputation.
- The United States Computer Emergency Response Team (US-CERT) released a joint Technical Alert detailing Volgmer and its use by HIDDEN COBRA, including technical details, network signatures and host-based rules, and mitigation strategies. The alert is available here.