HIDDEN COBRA – North Korean Trojan: Volgmer
Contents
HIDDEN COBRA – North Korean Trojan: Volgmer
Systems Affected
Network systems
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.
This alert includes IOCs related to HIDDEN COBRA, IP …
Systems Affected
Network systems
Overview
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.
This alert includes IOCs related to HIDDEN COBRA, IP …
IoC
rule volgmer
{
meta:
description = "Malformed User Agent"
strings:
$s = "Mozillar/"
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s
}
{
meta:
description = "Malformed User Agent"
strings:
$s = "Mozillar/"
condition:
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s
}