Volgmer Backdoor Trojan
Volgmer is a backdoor trojan used by the North Korean government since 2013 to provide covert access to government, health, financial, automotive, and media targets in multiple countries. It has multiple capabilities including: gathering system information, updating service registry keys, downloading files and executing processes, terminate processes. One sample had botnet controller functionality.
The primary attack vector is believed to be spear-phishing, although is possible that this mechanism may change as the North Korean government maintains a custom suite of delivery tools. Payloads have been observed as either 32-bit executables or dynamic-link libraries (DLLs), with the malware beaconing to its command and control (C2) server using a custom binary protocol. Persistence on a user’s system is achieved by installing a copy of the malware inside a randomly selected service.
The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.
The U.S. government’s analysis of Volgmer’s infrastructure identified it using 94 static IPs, as well as dynamic IPs registered in India, Iran, Pakistan, Saudi Arabia, Taiwan, Thailand, Sri Lanka, China, Vietnam, Indonesia, and Russia.
- India (772 IPs) 25.4 percent
- Iran (373 IPs) 12.3 percent
- Pakistan (343 IPs) 11.3 percent
- Saudi Arabia (182 IPs) 6 percent
- Taiwan (169 IPs) 5.6 percent
- Thailand (140 IPs) 4.6 percent
- Sri Lanka (121 IPs) 4 percent
- China (82 IPs, including Hong Kong (12)) 2.7 percent
- Vietnam (80 IPs) 2.6 percent
- Indonesia (68 IPs) 2.2 percent
- Russia (68 IPs) 2.2 percent
IP Addresses To Block
The following is a list of command and control IP addresses to block.
| 199[.]68[.]196[.]125 |
| 103[.]16[.]223[.]35 |
| 113[.]28[.]244[.]194 |
| 116[.]48[.]145[.]179 |
| 186[.]116[.]9[.]20 |
| 186[.]149[.]198[.]172 |
| 195[.]28[.]91[.]232 |
| 195[.]97[.]97[.]148 |
| 199[.]15[.]234[.]120 |
| 200[.]42[.]69[.]133 |
| 203[.]131[.]222[.]99 |
| 210[.]187[.]87[.]181 |
| 83[.]231[.]204[.]157 |
| 84[.]232[.]224[.]218 |
| 89[.]190[.]188[.]42 |
| 109[.]68[.]120[.]179 |
| 85[.]132[.]123[.]50 |
| 80[.]95[.]219[.]72 |
| 88[.]201[.]64[.]185 |
| 103[.]10[.]55[.]35 |
| 45[.]124[.]169[.]36 |
| 222[.]44[.]80[.]138 |
| 61[.]153[.]146[.]207 |
| 41[.]131[.]164[.]156 |
| 82[.]129[.]240[.]148 |
| 82[.]201[.]131[.]124 |
| 31[.]146[.]82[.]22 |
| 103[.]27[.]164[.]10 |
| 103[.]27[.]164[.]42 |
| 112[.]133[.]214[.]38 |
| 114[.]79[.]141[.]59 |
| 115[.]115[.]174[.]67 |
| 115[.]178[.]96[.]66 |
| 115[.]249[.]29[.]78 |
| 117[.]211[.]164[.]245 |
| 117[.]218[.]84[.]197 |
| 117[.]239[.]102[.]132 |
| 117[.]239[.]144[.]203 |
| 117[.]240[.]190[.]226 |
| 117[.]247[.]63[.]127 |
| 117[.]247[.]8[.]239 |
| 118[.]67[.]237[.]124 |
| 125[.]17[.]79[.]35 |
| 125[.]18[.]9[.]228 |
| 14[.]102[.]46[.]3 |
| 14[.]139[.]125[.]214 |
| 14[.]141[.]129[.]116 |
| 180[.]211[.]97[.]186 |
| 182[.]156[.]76[.]122 |
| 182[.]72[.]113[.]90 |
| 182[.]73[.]165[.]58 |
| 182[.]73[.]245[.]46 |
| 182[.]74[.]42[.]194 |
| 182[.]77[.]61[.]231 |
| 183[.]82[.]199[.]174 |
| 183[.]82[.]33[.]102 |
| 203[.]110[.]91[.]252 |
| 203[.]196[.]136[.]60 |
| 203[.]88[.]138[.]79 |
| 43[.]249[.]216[.]6 |
| 45[.]118[.]34[.]215 |
| 139[.]255[.]62[.]10 |
| 128[.]65[.]184[.]131 |
| 128[.]65[.]187[.]94 |
| 178[.]248[.]41[.]117 |
| 185[.]113[.]149[.]239 |
| 185[.]115[.]164[.]86 |
| 185[.]46[.]218[.]77 |
| 213[.]207[.]209[.]36 |
| 217[.]218[.]90[.]124 |
| 217[.]219[.]193[.]158 |
| 217[.]219[.]202[.]199 |
| 37[.]235[.]21[.]166 |
| 37[.]98[.]114[.]90 |
| 78[.]38[.]114[.]15 |
| 78[.]38[.]182[.]242 |
| 78[.]39[.]125[.]67 |
| 80[.]191[.]171[.]32 |
| 85[.]185[.]30[.]195 |
| 85[.]9[.]74[.]159 |
| 89[.]165[.]119[.]105 |
| 91[.]106[.]77[.]7 |
| 91[.]98[.]112[.]196 |
| 91[.]98[.]126[.]92 |
| 91[.]98[.]36[.]66 |
| 94[.]183[.]177[.]90 |
| 95[.]38[.]16[.]188 |
| 27[.]114[.]187[.]37 |
| 116[.]90[.]226[.]67 |
| 113[.]203[.]238[.]98 |
| 115[.]186[.]133[.]195 |
| 182[.]176[.]121[.]244 |
| 182[.]187[.]139[.]132 |
| 37[.]216[.]67[.]155 |
| 84[.]235[.]85[.]86 |
| 103[.]241[.]106[.]15 |
| 203[.]118[.]42[.]155 |
| 58[.]185[.]197[.]210 |
| 123[.]231[.]112[.]147 |
| 222[.]165[.]146[.]86 |
| 122[.]146[.]157[.]141 |
| 140[.]136[.]205[.]209 |
| 110[.]77[.]137[.]38 |
| 118[.]175[.]22[.]10 |
| 125[.]25[.]206[.]15 |
| 203[.]147[.]10[.]65 |
| 58[.]82[.]155[.]98 |
| 61[.]91[.]47[.]142 |
| 185[.]134[.]98[.]141 |
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.