Volgmer

Volgmer is a backdoor Trojan malware, designed to provide covert access to a compromised system. Developed by the Lazarus Group, it has been used as a conduit for serving backdoors to control infected systems. This malware has been observed in 32-bit form as either executables or dynamic-link library (.dll) files and installs a copy of itself into a randomly selected service on the system. Volgmer's capabilities include gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware to target the government, financial, automotive, and media industries. The AhnLab Security Emergency Response Center (ASEC) detailed the use of Volgmer and other malware families like Scout by the Lazarus Group. The greatest concentrations of dynamic IPs addresses linked to Volgmer infections were found in India (25.4%), Iran (12.3%), Pakistan (11.3%), Saudi Arabia (6%), Taiwan (5.6%), Thailand (4.6%), Sri Lanka (4%), China (2.7%), Vietnam (2.6%), Indonesia (2.2%), and Russia (2.2%). It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections, although HIDDEN COBRA actors also use a suite of custom tools, some of which could potentially be used to initially compromise a system. In response to this threat, the U.S. Government's National Cybersecurity and Communications Integration Center (NCCIC) conducted an analysis on five files associated with or identified as Volgmer malware, producing a Malware Analysis Report (MAR). If users or administrators detect activity associated with the Volgmer malware, they are advised to immediately flag it, report it to the NCCIC or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation. Indicators of Compromise (IOCs) related to HIDDEN COBRA and specifically Volgmer can be downloaded from the US-CERT CISA website.