The article analyzes Lazarus Group’s Volgmer backdoor and Scout downloader, detailing how Volgmer operated from 2014 and how Scout began replacing Volgmer around 2022, including their C2, encryption, and anti-forensic techniques. It also covers dropper behavior, registry-based configuration storage, and various persistence and command capabilities used to control infected systems. #Volgmer #Scout
Keypoints
- The Lazarus threat group has long-running activity dating back to 2009, targeting defense, tech, and finance sectors globally with spear phishing and supply chain attacks.
- Volgmer is a DLL-type backdoor that often registers as a service and stores encrypted configuration data in the registry key HKLMSYSTEMCurrentControlSetControlWMISecurity.
- A dropper is used to install Volgmer by packaging the DLL and config in a password-protected ZIP in the resource area and then registering a service.
- Later versions (2017–2021) keep similar C2 flow but encrypt data; since 2022, Scout has been used as a downloader/backdoor substitute for Volgmer.
- Scout Downloader (v1 and v2) downloads payloads, uses RC4/Crypto API for config data decryption, and can run GUI-like windows to disguise presence.
- The campaigns employ evasion techniques such as timestomping, file deletion, and by exploiting driver/firmware vectors (BYOVD) to disable security products.
MITRE Techniques
- [T1566.001] Phishing – Brief description: The Lazarus group commonly used spear phishing and supply chain attacks to gain initial access. [“The Lazarus threat group usually employed spear phishing and supply chain attacks.”]
- [T1190] Exploit Public-Facing Application – Brief description: Initial access involved exploiting a vulnerability in a Korean financial security certification software. [“The method for initial access involved the exploitation of a security vulnerability of a Korean financial security certification software.”]
- [T1189] Watering Hole – Brief description: The group conducted watering hole attacks targeting Korean enterprises in defense, manufacturing, ICT, and financial sectors. [“watering hole attacks to attack multiple Korean enterprises and organizations in the fields of defense, software, and media.”]
- [T1543.003] Create or Modify System Process: Windows Service – Brief description: Volgmer runs by being registered as a service with a disguised name. [“Volgmer, running as a service, decrypts the registry value above to obtain the configuration data.”]
- [T1112] Modify Registry – Brief description: The configuration data is stored and accessed from registry keys like HKLMSYSTEMCurrentControlSetControlWMISecurity. [“…stored in the registry key HKLMSYSTEMCurrentControlSetControlWMISecurity”]
- [T1055.001] Process Injection – Brief description: The installer injects the Volgmer/Scout DLL into the lsass.exe process as part of deployment. [“the created DLL is injected into the lsass.exe process.”]
- [T1070.006] Timestomping – Brief description: Timestomping is used to evade timeline analysis and other anti-forensic measures. [“timestomping is one of the major anti-forensic techniques”]
- [T1070.004] File Deletion – Brief description: The malware overwrites files with 0x5F pattern before deletion to hinder recovery. [“the file deletion command overwrites it with the value ‘0x5F 00 00 00 00 …’ before deletion”]
- [T1071.001] Web Protocols – Brief description: C2 uses HTTP(S); includes GET/POST/HEAD requests with various user agents; data is Base64/RC4 encoded. [“transmits an HTTP packet … One HTTP request method is selected among ‘GET’, ‘POST’, or ‘HEAD’”]
- [T1027] Obfuscated/Compressed Files and Information – Brief description: Configuration data is encrypted and decrypted; RC4/Base64 are used. [“encrypted configuration data … RC4 … Base64”]
Indicators of Compromise
- [Hash] MD5 – 1ecd83ee7e4cfc8fed7ceb998e75b996 and 35f9cfe5110471a82e330d904c97466a: Volgmer/Scout-related drops with initial versions described in the report.
- [File Name] Volgmer/Scout-related DLLs and dropper names (examples): bnsvc.dll and LogonHourss.dll; these illustrate random name-generation and service registration behavior.
- [Registry Key] HKLMSYSTEMCurrentControlSetControlWMISecurity / 626e7376-5903-ed41-902f-e93a29dafef5 and HKLMSYSTEMCurrentControlSetControlWMISecurity / 626e7376-2790-10f2-dd2a-d92f482d094f: locations where configuration data is stored.
Read more: https://asec.ahnlab.com/en/57685/