The FBI and the DHS issued a joint warning on the “Volgmer” Trojan malware, which has been infecting multiple organizations across industries over the past few years. The FBI has “high confidence” that the IPs linked to Volgmer belong to North Korea.
The FBI said that the Volgmer malware has been noticed in the wild since 2013 and has targeted government, financial, automotive, and media industries. The primary delivery mechanism for the malware seems to be spear phishing, a type of phishing attack in which a specific individual or organization is targeted. Through it, the attackers can gain higher privileges inside the network and then further infect the network with their malware.
The Volgmer backdoor is capable of gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. The US-CERT Code Analysis Team also observed in one of the malware samples that Volgmer has botnet controller functionality, too.
According to the government agencies inspecting this malware, Volgmer has been seen in 32-bit executable form, as well as a dynamic-link library (.dll). The malware uses a custom protocol, often with RC4 encryption, to send back data to the command and control (C2) servers. Volgmer maintains persistence by randomly selecting a Windows service in which it can copy itself.
The FBI and the DHS recommend that organizations take a look at the Volgmer-linked IPs and analysis. If they find those IPs connecting to their networks, the companies should take measures to block them and then look for the malware and remove it.
The government agencies have also prepared a list of host-based rules and network signatures that companies can use to detect malware activity related to North Korea. They warned that despite the careful selection of those rules and signatures, some false positives may exist.
The DHS also recommended that organizations implement security best practices, such as:
The agencies would also like to remind companies that a successful network intrusion can lead to loss of sensitive and proprietary information, disruption to regular operations, and financial and reputation losses.