Volgmer

The Volgmer threat is a hacking tool that belongs to the Lazarus APT (Advanced Persistent Threat). The Lazarus hacking group, known in some circles as HIDDEN COBRA, is an APT that originates from North Korea. Malware experts believe that the Lazarus APT is funded by the North Korean government and carries out cyberattacks on its behalf. This explains why the Lazarus hacking group tends to target high-ranking foreign government officials, companies, and organizations operating in industries competing with North Korea.

The Volgmer malware is a threat that got on the radars of cybersecurity analysts in 2013. Since then, the Lazarus APT has been utilizing this hacking tool regularly. The Volgmer malware serves as a backdoor that would allow the Lazarus APT to take control of the infected system and execute a variety of commands. Over the years, the Lazarus hacking group has introduced various updates and upgrades to the Volgmer Trojan, which has improved this threat greatly.

The Lazarus APT has used the Volgmer Trojan in numerous attacks targeting different companies and organizations operating in the media, automotive and financial industries. Naturally, the Volgmer threat also has been utilized in campaigns targeting government bodies and various foreign officials. The Volgmer threat is often propagated with the help of spear-phishing emails, which are designed carefully to attract the attention of users and avoid raising suspicions. The emails in question would contain a fake message and an attached file, which carries the payload of the Volgmer Trojan.

As soon as the Volgmer malware manages to compromise the targeted computer, it will enable its operators to:

• Manage the running processes.
• Download files from the infiltrated PC.
• Execute remote commands.
• Modify the Windows Registry to gain persistence on the host.
• List directories and files present on the system.
• Download files from URLs.
• Upload files from the C&C (Command & Control) server of the attackers.
• Collect basic information such as hardware and software details, as well as data regarding the user's settings and running processes.

Despite the fact that this Trojan can gain persistence via modifying the Windows Registry, it also utilizes another trick - it uses a bogus Windows Service to command the operating system to run Volgmer's executable as soon as the computer is started.

The Lazarus APT is one of the most prominent hacking groups in North Korea and has the potential to wreak havoc on the systems of its targets.