Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks


The Kimsuky APT group, also known as Springtail and affiliated with North Korea’s Reconnaissance General Bureau (RGB), has recently been detected deploying a Linux variant of its GoBear backdoor in a campaign aimed at South Korean organizations.

This new variant, named Gomir, shares significant structural similarities with GoBear, with a notable overlap in code, as highlighted by the Symantec Threat Hunter Team, a division of Broadcom. While Gomir largely mirrors GoBear’s functionality, any OS-dependent features have been either omitted or reimagined.

GoBear first surfaced in early February 2024, as identified by South Korean security firm S2W, in association with a malware campaign distributing Troll Stealer (also known as TrollAgent). This malware campaign aligns with previously known Kimsuky malware families such as AppleSeed and AlphaSeed.

A subsequent analysis by the AhnLab Security Intelligence Center (ASEC) revealed that Troll Stealer is disseminated via trojanized security software downloaded from an undisclosed South Korean construction-related association’s website. Among the compromised programs are nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort, with the latter previously targeted in a software supply chain attack by the Lazarus Group in 2020.

Symantec also observed Troll Stealer being distributed via rogue installers for Wizvera VeraPort, although the exact method of delivery for these installation packages remains undisclosed.

Moreover, GoBear shares similar function names with an older Springtail backdoor known as BetaSeed, written in C++, suggesting a shared lineage between the two threats.

Gomir, the Linux counterpart, boasts a broad range of capabilities, supporting up to 17 commands. These commands enable operators to execute various actions, including file operations, initiating a reverse proxy, temporarily halting command-and-control (C2) communications, executing shell commands, and terminating its own processes.

The recent Springtail campaign underscores the preference of North Korean espionage actors for utilizing software installation packages and updates as primary infection vectors. The selection of targeted software appears to have been carefully curated to maximize the likelihood of infecting South Korean-based targets.