Malware : HIDDEN COBRA Trojan 'Volgmer' Detection

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.112144

Category: Malware

Title: HIDDEN COBRA Trojan 'Volgmer' Detection

Summary: This script tries to detect indicators in the Windows registry for malicious tools used by North Korean APT group 'HIDDEN COBRA'.

Description: Summary:
This script tries to detect indicators in the Windows registry for malicious tools used by North Korean APT group 'HIDDEN COBRA'.

Vulnerability Insight:
As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys,
downloading and uploading files, executing commands, terminating processes, and listing directories.

It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections. However, HIDDEN COBRA actors use a suite of custom tools,
some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer.

Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files.
The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088,
with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.

Malicious actors commonly maintain persistence on a victim's system by installing the malware-as-a-service.
Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry.
In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.

Vulnerability Impact:
Successful exploitation will give an attacker the opportunity to steal your sensitive data and gain backdoor access to your system.

Solution:
Check the reference and apply the 'Mitigation Recommendations' that are being explained at the bottom of the document.

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Copyright Copyright (C) 2017 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.112144
Category:	Malware
Title:	HIDDEN COBRA Trojan 'Volgmer' Detection
Summary:	This script tries to detect indicators in the Windows registry for malicious tools used by North Korean APT group 'HIDDEN COBRA'.
Description:	Summary: This script tries to detect indicators in the Windows registry for malicious tools used by North Korean APT group 'HIDDEN COBRA'. Vulnerability Insight: As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections. However, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer. Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications. Malicious actors commonly maintain persistence on a victim's system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words. Vulnerability Impact: Successful exploitation will give an attacker the opportunity to steal your sensitive data and gain backdoor access to your system. Solution: Check the reference and apply the 'Mitigation Recommendations' that are being explained at the bottom of the document. CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Copyright	Copyright (C) 2017 Greenbone AG