Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Cyber Security

May 17, 2024NewsroomLinux / Malware

The Kimsuky (aka Springtail) advanced persistent threat (APT) group, which is linked to North Korea’s Reconnaissance General Bureau (RGB), has been observed deploying a Linux version of its GoBear backdoor as part of a campaign targeting South Korean organizations.

The backdoor, codenamed Gomir, is “structurally almost identical to GoBear, with extensive sharing of code between malware variants,” the Symantec Threat Hunter Team, part of Broadcom, said in a new report. “Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir.”

GoBear was first documented by South Korean security firm S2W in early February 2024 in connection with a campaign that delivered malware called Troll Stealer (aka TrollAgent), which overlaps with known Kimsuky malware families like AppleSeed and AlphaSeed.

A subsequent analysis by the AhnLab Security Intelligence Center (ASEC) revealed that the malware is distributed via trojanized security programs downloaded from an unspecified South Korean construction-related association’s website.

This includes nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort, the last of which was previously subjected to a software supply chain attack by the Lazarus Group in 2020.

Symantec said that it also observed the Troll Stealer malware being delivered via rogue installers for Wizvera VeraPort, although the exact distribution mechanism by which the installation packages get delivered is presently unknown.

“GoBear also contains similar function names to an older Springtail backdoor known as BetaSeed, which was written in C++, suggesting that both threats have a common origin,” the company noted.

The malware, which supports capabilities to execute commands received from a remote server, is also said to be propagated through droppers that masquerade as a fake installer for an app for a Korean transport organization.

Its Linux counterpart, Gomir, supports as many as 17 commands, allowing its operators to perform file operations, start a reverse proxy, pause command-and-control (C2) communications for a specified time duration, run shell commands, and terminate its own process.

“This latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors,” Symantec said.

“The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.