Malware : HIDDEN COBRA Trojan 'Volgmer' Detection

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.112144

Kategorie: Malware

Titel: HIDDEN COBRA Trojan 'Volgmer' Detection

Zusammenfassung: This script tries to detect indicators in the Windows registry for malicious tools used by North Korean APT group 'HIDDEN COBRA'.

Beschreibung: Summary:
This script tries to detect indicators in the Windows registry for malicious tools used by North Korean APT group 'HIDDEN COBRA'.

Vulnerability Insight:
As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys,
downloading and uploading files, executing commands, terminating processes, and listing directories.

It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections. However, HIDDEN COBRA actors use a suite of custom tools,
some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer.

Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files.
The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088,
with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.

Malicious actors commonly maintain persistence on a victim's system by installing the malware-as-a-service.
Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry.
In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.

Vulnerability Impact:
Successful exploitation will give an attacker the opportunity to steal your sensitive data and gain backdoor access to your system.

Solution:
Check the reference and apply the 'Mitigation Recommendations' that are being explained at the bottom of the document.

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Copyright Copyright (C) 2017 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.112144
Kategorie:	Malware
Titel:	HIDDEN COBRA Trojan 'Volgmer' Detection
Zusammenfassung:	This script tries to detect indicators in the Windows registry for malicious tools used by North Korean APT group 'HIDDEN COBRA'.
Beschreibung:	Summary: This script tries to detect indicators in the Windows registry for malicious tools used by North Korean APT group 'HIDDEN COBRA'. Vulnerability Insight: As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections. However, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer. Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications. Malicious actors commonly maintain persistence on a victim's system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words. Vulnerability Impact: Successful exploitation will give an attacker the opportunity to steal your sensitive data and gain backdoor access to your system. Solution: Check the reference and apply the 'Mitigation Recommendations' that are being explained at the bottom of the document. CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Copyright	Copyright (C) 2017 Greenbone AG