Volgmer Backdoor Trojan

Volgmer is a backdoor trojan used by the North Korean government since 2013 to provide covert access to government, health, financial, automotive, and media targets in multiple countries. It has multiple capabilities including: gathering system information, updating service registry keys, downloading files and executing processes, terminate processes. One sample had botnet controller functionality.

The primary attack vector is believed to be spear-phishing, although is possible that this mechanism may change as the North Korean government maintains a custom suite of delivery tools. Payloads have been observed as either 32-bit executables or dynamic-link libraries (DLLs), with the malware beaconing to its command and control (C2) server using a custom binary protocol. Persistence on a user’s system is achieved by installing a copy of the malware inside a randomly selected service.

The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.

The U.S. government’s analysis of Volgmer’s infrastructure identified it using 94 static IPs, as well as dynamic IPs registered in India, Iran, Pakistan, Saudi Arabia, Taiwan, Thailand, Sri Lanka, China, Vietnam, Indonesia, and Russia.

  • India (772 IPs) 25.4 percent
  • Iran (373 IPs) 12.3 percent
  • Pakistan (343 IPs) 11.3 percent
  • Saudi Arabia (182 IPs) 6 percent
  • Taiwan (169 IPs) 5.6 percent
  • Thailand (140 IPs) 4.6 percent
  • Sri Lanka (121 IPs) 4 percent
  • China (82 IPs, including Hong Kong (12)) 2.7 percent
  • Vietnam (80 IPs) 2.6 percent
  • Indonesia (68 IPs) 2.2 percent
  • Russia (68 IPs) 2.2 percent




IP Addresses To Block

The following is a list of command and control IP addresses to block.

199[.]68[.]196[.]125
103[.]16[.]223[.]35
113[.]28[.]244[.]194
116[.]48[.]145[.]179
186[.]116[.]9[.]20
186[.]149[.]198[.]172
195[.]28[.]91[.]232
195[.]97[.]97[.]148
199[.]15[.]234[.]120
200[.]42[.]69[.]133
203[.]131[.]222[.]99
210[.]187[.]87[.]181
83[.]231[.]204[.]157
84[.]232[.]224[.]218
89[.]190[.]188[.]42
109[.]68[.]120[.]179
85[.]132[.]123[.]50
80[.]95[.]219[.]72
88[.]201[.]64[.]185
103[.]10[.]55[.]35
45[.]124[.]169[.]36
222[.]44[.]80[.]138
61[.]153[.]146[.]207
41[.]131[.]164[.]156
82[.]129[.]240[.]148
82[.]201[.]131[.]124
31[.]146[.]82[.]22
103[.]27[.]164[.]10
103[.]27[.]164[.]42
112[.]133[.]214[.]38
114[.]79[.]141[.]59
115[.]115[.]174[.]67
115[.]178[.]96[.]66
115[.]249[.]29[.]78
117[.]211[.]164[.]245
117[.]218[.]84[.]197
117[.]239[.]102[.]132
117[.]239[.]144[.]203
117[.]240[.]190[.]226
117[.]247[.]63[.]127
117[.]247[.]8[.]239
118[.]67[.]237[.]124
125[.]17[.]79[.]35
125[.]18[.]9[.]228
14[.]102[.]46[.]3
14[.]139[.]125[.]214
14[.]141[.]129[.]116
180[.]211[.]97[.]186
182[.]156[.]76[.]122
182[.]72[.]113[.]90
182[.]73[.]165[.]58
182[.]73[.]245[.]46
182[.]74[.]42[.]194
182[.]77[.]61[.]231
183[.]82[.]199[.]174
183[.]82[.]33[.]102
203[.]110[.]91[.]252
203[.]196[.]136[.]60
203[.]88[.]138[.]79
43[.]249[.]216[.]6
45[.]118[.]34[.]215
139[.]255[.]62[.]10
128[.]65[.]184[.]131
128[.]65[.]187[.]94
178[.]248[.]41[.]117
185[.]113[.]149[.]239
185[.]115[.]164[.]86
185[.]46[.]218[.]77
213[.]207[.]209[.]36
217[.]218[.]90[.]124
217[.]219[.]193[.]158
217[.]219[.]202[.]199
37[.]235[.]21[.]166
37[.]98[.]114[.]90
78[.]38[.]114[.]15
78[.]38[.]182[.]242
78[.]39[.]125[.]67
80[.]191[.]171[.]32
85[.]185[.]30[.]195
85[.]9[.]74[.]159
89[.]165[.]119[.]105
91[.]106[.]77[.]7
91[.]98[.]112[.]196
91[.]98[.]126[.]92
91[.]98[.]36[.]66
94[.]183[.]177[.]90
95[.]38[.]16[.]188
27[.]114[.]187[.]37
116[.]90[.]226[.]67
113[.]203[.]238[.]98
115[.]186[.]133[.]195
182[.]176[.]121[.]244
182[.]187[.]139[.]132
37[.]216[.]67[.]155
84[.]235[.]85[.]86
103[.]241[.]106[.]15
203[.]118[.]42[.]155
58[.]185[.]197[.]210
123[.]231[.]112[.]147
222[.]165[.]146[.]86
122[.]146[.]157[.]141
140[.]136[.]205[.]209
110[.]77[.]137[.]38
118[.]175[.]22[.]10
125[.]25[.]206[.]15
203[.]147[.]10[.]65
58[.]82[.]155[.]98
61[.]91[.]47[.]142
185[.]134[.]98[.]141




Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: