Skip to content

S0180 Volgmer

Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. 1

Item Value
ID S0180
Associated Names
Version 1.1
Created 16 January 2018
Last Modified 25 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Volgmer can execute commands on the victim’s machine.12
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service’s Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings.123
enterprise T1140 Deobfuscate/Decode Files or Information Volgmer deobfuscates its strings and APIs once its executed.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Volgmer uses a simple XOR cipher to encrypt traffic and files.2
enterprise T1573.002 Asymmetric Cryptography Some Volgmer variants use SSL to encrypt C2 communications.1
enterprise T1083 File and Directory Discovery Volgmer can list directories on a victim.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Volgmer can delete files and itself after infection to avoid analysis.2
enterprise T1105 Ingress Tool Transfer Volgmer can download remote files and additional payloads to the victim’s machine.123
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.23
enterprise T1112 Modify Registry Volgmer stores the encoded configuration file in the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security.23
enterprise T1106 Native API Volgmer executes payloads using the Windows API call CreateProcessW().2
enterprise T1027 Obfuscated Files or Information A Volgmer variant is encoded using a simple XOR cipher.2
enterprise T1057 Process Discovery Volgmer can gather a list of processes.3
enterprise T1012 Query Registry Volgmer checks the system for certain Registry keys.2
enterprise T1082 System Information Discovery Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim’s machine.123
enterprise T1016 System Network Configuration Discovery Volgmer can gather the IP address from the victim’s machine.3
enterprise T1049 System Network Connections Discovery Volgmer can gather information about TCP connection state.3
enterprise T1007 System Service Discovery Volgmer queries the system to identify existing services.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1


Back to top