Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Chuzo Login

    Top Cooking Websites For Food Bloggers

    Katy Perry Goes To Space!

    Facebook X (Twitter) Instagram
    Tech Empire Solutions
    • Home
    • Cloud
    • Cyber Security
    • Technology
    • Business Solution
    • Tech Gadgets
    Tech Empire Solutions
    Home » Kimsuky APT deploys Linux backdoor Gomir in South Korean cyber attacks
    Cyber Security

    Kimsuky APT deploys Linux backdoor Gomir in South Korean cyber attacks

    techempireBy techempire3 Comments2 Mins Read
    Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
    Share
    Facebook Twitter LinkedIn Pinterest Telegram Email

    ReportMay 17, 2024Editorial DepartmentLinux/Malware

    Linux backdoor

    The Kimsuky (aka Springtail) advanced persistent threat (APT) group with ties to North Korea’s Reconnaissance General Bureau (RGB) has been observed deploying a Linux version of the GoBear backdoor as part of a campaign targeting South Korean groups.

    back door, code name Gomir“Structurally almost identical to GoBear, code is widely shared between malware variants,” Broadcom’s Symantec Threat Hunters team said in a new report. “Any functionality in GoBear that relies on the operating system is either missing in Gomir or has been re-implemented.”

    Internet security

    GoBear was first documented by South Korean security firm S2W in early February 2024 in connection with a campaign to spread malware called Troll Stealer (aka TrollAgent), which overlapped with known Kimsuky malware families such as AppleSeed and AlphaSeed. .

    Subsequent analysis by the AhnLab Security Intelligence Center (ASEC) revealed that the malware was distributed via a Trojan security program downloaded from the website of the Korean Construction Related Association.

    These include nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort, the last of which was previously subject to a software supply chain attack by Lazarus Group in 2020.

    Symantec said it has also observed the Troll Stealer malware being spread through a malicious installer from Wizvera VeraPort, but it is not yet clear the exact distribution mechanism used to spread the installer.

    “GoBear also contains similar function names to the older Springtail backdoor BetaSeed, which was written in C++, suggesting a common origin for both threats,” the company noted.

    The malware supports the execution of commands received from a remote server and is also said to be spread via a fake installer implant disguised as a Korea Transportation Organization application.

    Internet security

    Its Linux counterpart, Gomir, supports up to 17 commands, allowing its operators to perform file operations, launch reverse proxies, suspend command and control (C2) communications for a specified period of time, run shell commands, and terminate their own command programs.

    “The latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors,” Symantec said.

    “The targeting software appears to have been carefully selected to maximize the chance of infecting South Korean targets.”

    Did you find this article interesting?follow us Twitter  and LinkedIn to read more exclusive content from us.



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    techempire
    • Website

    Related Posts

    Ongoing campaign bombards businesses with spam emails and phone calls

    6 common mistakes organizations make when deploying advanced authentication

    New Chrome zero-day vulnerability CVE-2024-4761 is being actively exploited

    Microsoft patches 61 flaws, including two actively exploited zero-day vulnerabilities

    Dutch court sentences Tornado Cash co-founder to 5 years in prison for money laundering

    Migrate from VMware vSphere to Microsoft Azure

    Leave A Reply Cancel Reply

    Top Reviews
    Editors Picks

    Chuzo Login

    Top Cooking Websites For Food Bloggers

    Katy Perry Goes To Space!

    Mr. Meowski’s Bakery To Re-Locate In St. Charles MO

    Legal Pages
    • About Us
    • Disclaimer
    • DMCA
    • Privacy Policy
    Our Picks

    Gateway Studios High-Tech Recording Studio To Open In Chesterfield, Missouri

    Edufox

    Emerging Academic Education Platforms – Sponsored By Edufox

    Top Reviews

    Type above and press Enter to search. Press Esc to cancel.