S0180 Volgmer
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. 2
| Item | Value |
|---|---|
| ID | S0180 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 16 January 2018 |
| Last Modified | 26 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Volgmer can execute commands on the victim’s machine.21 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service’s Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings.213 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Volgmer deobfuscates its strings and APIs once its executed.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Volgmer uses a simple XOR cipher to encrypt traffic and files.1 |
| enterprise | T1573.002 | Asymmetric Cryptography | Some Volgmer variants use SSL to encrypt C2 communications.2 |
| enterprise | T1083 | File and Directory Discovery | Volgmer can list directories on a victim.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Volgmer can delete files and itself after infection to avoid analysis.1 |
| enterprise | T1105 | Ingress Tool Transfer | Volgmer can download remote files and additional payloads to the victim’s machine.213 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.13 |
| enterprise | T1112 | Modify Registry | Volgmer modifies the Registry to store an encoded configuration file in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security.13 |
| enterprise | T1106 | Native API | Volgmer executes payloads using the Windows API call CreateProcessW().1 |
| enterprise | T1027 | Obfuscated Files or Information | A Volgmer variant is encoded using a simple XOR cipher.1 |
| enterprise | T1027.011 | Fileless Storage | Volgmer stores an encoded configuration file in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security.23 |
| enterprise | T1057 | Process Discovery | Volgmer can gather a list of processes.3 |
| enterprise | T1012 | Query Registry | Volgmer checks the system for certain Registry keys.1 |
| enterprise | T1082 | System Information Discovery | Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim’s machine.213 |
| enterprise | T1016 | System Network Configuration Discovery | Volgmer can gather the IP address from the victim’s machine.3 |
| enterprise | T1049 | System Network Connections Discovery | Volgmer can gather information about TCP connection state.3 |
| enterprise | T1007 | System Service Discovery | Volgmer queries the system to identify existing services.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0032 | Lazarus Group | 2 |
References
-
US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩
-
US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. ↩↩↩↩↩↩↩↩↩↩
-
Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018. ↩↩↩↩↩↩↩↩↩