(US-CERT) Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer. As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2023-10-13 by ASEC Analysis Team from AhnLab
2023-08-31 by Sanseo from AhnLab
2023-08-22 by ASEC Analysis Team from AhnLab
2023-04-12 by Seongsu Park from Kaspersky Labs
2021-09-07 by Vlad Pasca from LIFARS
2021-03-21 by Blackberry Research from Blackberry
2021-02-25 by Vyacheslav Kopeytsev from Kaspersky Labs
2021-01-27 by Sojun Ryu from S2W LAB Inc.
2021-01-27 by Sojun Ryu from S2W LAB Inc.
2020-12-11 by Twitter (@BitsOfBinary) from PWC UK
2020-11-27 by Microstep online research response team from Microstep Intelligence Bureau
2020-10-28 by John from Twitter (@BitsOfBinary)
2020-07-29 by GReAT from Kaspersky Labs
2020-05-07 by Mark Lechtik from AVAR
2020-02-19 by Lexfo from Lexfo
2020-02-13 by Qi Anxin Threat Intelligence Center from Qianxin
2020 by SecureWorks from Secureworks
2018-08-23 by GReAT from Kaspersky Labs
2017-11-14 by US-CERT from US-CERT
Tool: Volgmer
Names: Volgmer, Manuscrypt
Description: (US-CERT) Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer. As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.
Category: Malware
Type: Reconnaissance, Backdoor, Info stealer, Exfiltration, Botnet
Information: https://www.us-cert.gov/ncas/alerts/TA17-318B
Information: https://securelist.com/operation-applejeus/87553/
Mitre-attack: https://attack.mitre.org/software/S0180/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer
Alienvault-otx: https://otx.alienvault.com/browse/pulses?q=tag:volgmer
Last-card-change: 2020-05-14
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL volgmer can execute commands on the victim's machine. | T1543.003 CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE volgmer installs a copy of itself in a randomly selected service, then overwrites the servicedll entry in the service's registry entry. some volgmer variants also install .dll files as services with names generated by a list of hard-coded strings. | T1543.003 CREATE OR MODIFY SYSTEM PROCESS : WINDOWS SERVICE volgmer installs a copy of itself in a randomly selected service, then overwrites the servicedll entry in the service's registry entry. some volgmer variants also install .dll files as services with names generated by a list of hard-coded strings. | T1140 DEOBFUSCATE/DECODE FILES OR INFORMATION volgmer deobfuscates its strings and apis once its executed. T1070.004 INDICATOR REMOVAL : FILE DELETION volgmer can delete files and itself after infection to avoid analysis. T1036.004 MASQUERADING : MASQUERADE TASK OR SERVICE some volgmer variants add new services with display names generated by a list of hard-coded strings such as application, background, security, and windows, presumably as a way to masquerade as a legitimate service. T1112 MODIFY REGISTRY volgmer modifies the registry to store an encoded configuration file in hkey_local_machine\system\currentcontrolset\control\wmi\security. T1027.011 OBFUSCATED FILES OR INFORMATION : FILELESS STORAGE volgmer stores an encoded configuration file in hkey_local_machine\system\currentcontrolset\control\wmi\security. | T1082 SYSTEM INFORMATION DISCOVERY volgmer can gather system information, the computer name, os version, drive and serial information from the victim's machine. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY volgmer can gather the ip address from the victim's machine. | T1573.001 ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY volgmer uses a simple xor cipher to encrypt traffic and files. T1573.002 ENCRYPTED CHANNEL : ASYMMETRIC CRYPTOGRAPHY some volgmer variants use ssl to encrypt c2 communications. T1105 INGRESS TOOL TRANSFER volgmer can download remote files and additional payloads to the victim's machine. |