0x13 updating the ips
For a downloadable copy of IOCs, see: NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR).MAR-10135536-D examines the tactics, techniques, and procedures observed.As patches and firmware updates continue to be released, it is important to check with your hardware and software vendors to verify that their corresponding patches can be applied, as some updates may result in unintended consequences.NCCIC recommends using a test environment to verify each patch before implementing.The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service.CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre.These attacks are described in detail by CERT/CC’s Vulnerability Note VU#584653, the United Kingdom National Cyber Security Centre’s guidance on Meltdown and Spectre, Google Project Zero, and the Institute of Applied Information Processing and Communications (IAIK) at Graz University of Technology (TU Graz).
NCCIC encourages users and administrators to refer to their hardware and software vendors for the most recent information.At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries.The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage: As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories.This table will be updated as information becomes available. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. For more information on HIDDEN COBRA activity, visit https://Original release date: November 14, 2017 | Last revised: November 22, 2017 Network systems This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation.