Volgmer
Volgmer is a backdoor Trojan that provides attackers with remote control over infected Windows PCs. It's a custom tool strongly associated with Hidden Cobra or Lazarus Group, a North Korea-sponsored group of hackers. Users should scrutinize e-mails for potential phishing attacks that might install it and use anti-malware utilities as appropriate for removing Volgmer and protecting their machines.
The Service that's More than It Seems
Backdoor Trojans are some of the essential workhorses of modern-day spying and surveillance activities, with many of the features that any hacker might need for maintaining an eye on any breached network, long-term. Although many threat actors will rotate through these tools and update them rapidly, some of these Trojans stick around longer than others. In Volgmer's case – a North Korea-sponsored threat – the backdoor Trojan has been attacking victims around the world since 2013.
Volgmer is a Windows-based program with two observed payload formats: either DLL or EXE. As a tool of Hidden Cobra (AKA Lazarus Group), it provides attackers with remote administrative features like downloading or uploading, listing general system information, command execution, a frequently-obfuscated C&C connection and closing programs' processes arbitrarily. All of these attack capabilities are ones that malware experts expect of similarly-purposed backdoor Trojans, like EnigmaSpark or Aria-body.
The method of persistence on the system is, however, more novel than Volgmer's payload. It picks an already-present service randomly and replaces it by changing the Registry entry to point to a copy of the Trojan. The technique keeps the PC's services looking 'normal' while the Trojan remains continuously operational effectively – an ideal state of affairs for spy software.
Stopping a Trojan from Passing along Company Information
Infrastructural associated with Volgmer suggests that nations such as India and most of the Middle East are high-priority targets. Besides the usual case of Hidden Cobra's compromising government entities, related attacks are occurring against various industries, such as telecommunications media and finance. While Volgmer has a broadly-inclusive scope of features, the threat actor also may supplement its payload with other utilities, such as the Brambul worm, Electricfish or the NukeSped RAT.
Phishing lures, either over instant messaging or e-mail, are the usual means of a recon-based compromise succeeding at breaking into a network or related systems. In this respect, Volgmer differs little from its fellows. Users should undertake all of the standard precautions against such attacks, including turning off macros, enabling visible extensions and scanning files like documents before opening.
All users also should be equipped with anti-malware services with the latest databases available. Updates may render this Trojan more challenging to detect than previously. Still, conventional anti-malware solutions remain the best means of removing Volgmer or identifying any related loading elements, such as a drive-by-download attack.
Volgmer is an opportunistic threat that doesn't mind mixing up its predictable behavior with randomization for keeping its victims guessing. As a spy-enabler, it's a good look at how hackers can become creative increasingly in their search for an 'undetectable' means of computer surveillance.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.