Kimsuky APT deploys Linux backdoor Gomir in South Korean cyber attacks

ReportMay 17, 2024Editorial DepartmentLinux/Malware

The Kimsuky (aka Springtail) advanced persistent threat (APT) group with ties to North Korea’s Reconnaissance General Bureau (RGB) has been observed deploying a Linux version of the GoBear backdoor as part of a campaign targeting South Korean groups.

back door, code name Gomir“Structurally almost identical to GoBear, code is widely shared between malware variants,” Broadcom’s Symantec Threat Hunters team said in a new report. “Any functionality in GoBear that relies on the operating system is either missing in Gomir or has been re-implemented.”

GoBear was first documented by South Korean security firm S2W in early February 2024 in connection with a campaign to spread malware called Troll Stealer (aka TrollAgent), which overlapped with known Kimsuky malware families such as AppleSeed and AlphaSeed. .

Subsequent analysis by the AhnLab Security Intelligence Center (ASEC) revealed that the malware was distributed via a Trojan security program downloaded from the website of the Korean Construction Related Association.

These include nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort, the last of which was previously subject to a software supply chain attack by Lazarus Group in 2020.

Symantec said it has also observed the Troll Stealer malware being spread through a malicious installer from Wizvera VeraPort, but it is not yet clear the exact distribution mechanism used to spread the installer.

“GoBear also contains similar function names to the older Springtail backdoor BetaSeed, which was written in C++, suggesting a common origin for both threats,” the company noted.

The malware supports the execution of commands received from a remote server and is also said to be spread via a fake installer implant disguised as a Korea Transportation Organization application.

Its Linux counterpart, Gomir, supports up to 17 commands, allowing its operators to perform file operations, launch reverse proxies, suspend command and control (C2) communications for a specified period of time, run shell commands, and terminate their own command programs.

“The latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors,” Symantec said.

“The targeting software appears to have been carefully selected to maximize the chance of infecting South Korean targets.”