Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Posted by Peter Tolan 2 years Ago

 

The Kimsuky APT group, also known as Springtail and affiliated with North Korea’s Reconnaissance General Bureau (RGB), has recently been detected deploying a Linux variant of its GoBear backdoor in a campaign aimed at South Korean organizations.

This new variant, named Gomir, shares significant structural similarities with GoBear, with a notable overlap in code, as highlighted by the Symantec Threat Hunter Team, a division of Broadcom. While Gomir largely mirrors GoBear’s functionality, any OS-dependent features have been either omitted or reimagined.

GoBear first surfaced in early February 2024, as identified by South Korean security firm S2W, in association with a malware campaign distributing Troll Stealer (also known as TrollAgent). This malware campaign aligns with previously known Kimsuky malware families such as AppleSeed and AlphaSeed.

A subsequent analysis by the AhnLab Security Intelligence Center (ASEC) revealed that Troll Stealer is disseminated via trojanized security software downloaded from an undisclosed South Korean construction-related association’s website. Among the compromised programs are nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort, with the latter previously targeted in a software supply chain attack by the Lazarus Group in 2020.

Symantec also observed Troll Stealer being distributed via rogue installers for Wizvera VeraPort, although the exact method of delivery for these installation packages remains undisclosed.

Moreover, GoBear shares similar function names with an older Springtail backdoor known as BetaSeed, written in C++, suggesting a shared lineage between the two threats.

Gomir, the Linux counterpart, boasts a broad range of capabilities, supporting up to 17 commands. These commands enable operators to execute various actions, including file operations, initiating a reverse proxy, temporarily halting command-and-control (C2) communications, executing shell commands, and terminating its own processes.

The recent Springtail campaign underscores the preference of North Korean espionage actors for utilizing software installation packages and updates as primary infection vectors. The selection of targeted software appears to have been carefully curated to maximize the likelihood of infecting South Korean-based targets.

Source: thehackernews.com

Peter Tolan
View More Posts
Peter Tolan is a Junior Content Editor for the HIPTHER network, where he has quickly established himself as a versatile voice in the global iGaming and technology sectors. Operating across the network's specialized platforms, Peter leverages a deep understanding of the European and American gaming landscapes to deliver high-impact, B2B intelligence. He is a key contributor to the "Evolution" side of the industry, specializing in the analysis of online gaming trends, the fast-paced world of esports, and the integration of deep-tech innovations. With a sharp eye for emerging technologies, Peter ensures that the HIPTHER community remains at the forefront of the global digital revolution.