Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. [1]

ID: S0180
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceVolgmer can execute commands on the victim's machine.[1][2]
EnterpriseT1043Commonly Used PortSome Volgmer variants use ports 8080 and 8000 for C2.[1][2][3]
EnterpriseT1094Custom Command and Control ProtocolVolgmer uses a custom binary protocol to beacon back to its C2 server. It has also used XOR for encrypting communications.[1][2]
EnterpriseT1132Data EncodingVolgmer encodes files before exfiltration.[2]
EnterpriseT1140Deobfuscate/Decode Files or InformationVolgmer deobfuscates its strings and APIs once its executed.[2]
EnterpriseT1106Execution through APIVolgmer executes payloads using the Windows API call CreateProcessW().[2]
EnterpriseT1083File and Directory DiscoveryVolgmer can list directories on a victim.[1]
EnterpriseT1107File DeletionVolgmer can delete files and itself after infection to avoid analysis.[2]
EnterpriseT1036MasqueradingSome Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.[2][3]
EnterpriseT1031Modify Existing ServiceVolgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry.[1]
EnterpriseT1112Modify RegistryVolgmer stores the encoded configuration file in the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentContorlSet\Control\WMI\Security.[2][3]
EnterpriseT1050New ServiceSome Volgmer variants install .dll files as services with names generated by a list of hard-coded strings.[2][3]
EnterpriseT1027Obfuscated Files or InformationA Volgmer variant is encoded using a simple XOR cipher.[2]
EnterpriseT1057Process DiscoveryVolgmer can gather a list of processes.[3]
EnterpriseT1012Query RegistryVolgmer checks the system for certain Registry keys.[2]
EnterpriseT1105Remote File CopyVolgmer can download remote files and additional payloads to the victim's machine.[1][2][3]
EnterpriseT1032Standard Cryptographic ProtocolSome Volgmer variants use SSL to encrypt C2 communications.[1]
EnterpriseT1082System Information DiscoveryVolgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.[1][2][3]
EnterpriseT1016System Network Configuration DiscoveryVolgmer can gather the IP address from the victim's machine.[3]
EnterpriseT1049System Network Connections DiscoveryVolgmer can gather information about TCP connection state.[3]
EnterpriseT1007System Service DiscoveryVolgmer queries the system to identify existing services.[1]
EnterpriseT1065Uncommonly Used PortSome Volgmer variants use port 8088 for C2.[1][2][3]


Groups that use this software:

Lazarus Group