Skip to content

Latest commit

 

History

History

Vollgar

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

README.md

README.md

 
 

connect_back_domains.md

connect_back_domains.md

 
 

connect_back_ips.md

connect_back_ips.md

 
 

credentials.md

credentials.md

 
 

detect_vollgar.ps1

detect_vollgar.ps1

 
 

files.md

files.md

 
 

scheduled_tasks_services.md

scheduled_tasks_services.md

 
 

README.md

Vollgar Campaign IoCs

This repository contains a list of IoCs for the Vollgar campaign.

Repository Contents

  • Names of binary files and script dropped as part of the attack
  • Connect-back servers' domains and IP addresses
  • Names of scheduled tasks and services set by the attacker
  • Backdoor credentials created by the attacker
  • a Powershell script made by Guardicore to detect residues of the Vollgar campaign on a Windows machine

Detection Script - detect_vollgar.ps1

Running the Script

Open a PowerShell command prompt and run

.\detect_volgar.ps1

The script detects traces of the campaign's attacks:

  1. Payload files in various file-system locations
  2. Services and scheduled task names
  3. Backdoor usernames

If the machine has any such residues, the output will contain the sentence

Evidence for Vollgar campaign has been found on this host.

In such case, you should:

  • remove traces of the attack from the paths specified in the output
  • terminate the malicious processes
  • contact Guardicore Labs