ACG-CYBER SECURITY BULLETIN NO 118 UNDERSTANDING VOLGMER BACKDOOR TROJAN
The following information was obtained from the different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).
The information provided was classified as Restricted pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has several capabilities including, gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes and listing directories botnet controller functionality.
Volgmer payloads have been observed in 32-bit from as either executable or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.
Volgmer queries the system and randomly selects a service in which to install a copy of it. The malware then overwrites the Service DLL entry in the selected service’s registry entry. Unfortunately, there are no signs of the infection at first and Trojans can even go unnoticed for as long as several months because of this.
It may be found along with ransomware as a component of a spam email or attachment (image, archive, .exe file) or as a drive-by download, which comes from clicking on malicious pop-up or other ads. It is obvious that there could be other sources of these viruses like shareware, bundles, torrents and illegal or compromised webpages.
In order to prevent potential infections in the future, it is essential to stay away from Volgmer Malware’s possible sources. Users should deny any user Account Control (UAC) request unless they are making modifications to their own system. Likewise, users must be cautious in visiting web pages with malicious code, this would disallow the attacker to compromise through the infected system.
Further, it is best to install security software with warning signals for the detection of malicious software and install a powerful, high-quality anti-malware tool on your computer. Reputed anti-virus software will also help you to a great extent protect your system from other cyber threats as well.
PNP personnel and the public are advised to follow the best practices listed for securing and protecting information whether for personal use or work:
- Keep operating systems and software up-to-date with the latest patches;
- Maintain up-to-date antivirus software and scan all software download from the internet before executing;
- Restrict user’s abilities (permissions) to install and run unwanted software applications and apply the principle of “least privillage” to all systems and services;
- Avoid enabling macros from email attachments;
- Do not follow unsolicited web links in emails; and
- Do not open emails and pop-ups that are suspicious.
For additional information, please refer to the following websites:
POINT OF CONTACT