When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems.Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (Cy Watch), and give it the highest priority for enhanced mitigation.
It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system.The malware then overwrites the Service DLL entry in the selected service's registry entry.In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a remote administration tool (RAT) used by the North Korean government—commonly known as FALLCHILL. For more information on HIDDEN COBRA activity, visit https://Original release date: November 14, 2017 | Last revised: November 22, 2017 Network systems This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation.