HQ/EMEAFind out how we can help your business
The notorious North Korean state-sponsored threat group Kimsuky has been using a new Linux backdoor malware called Gomir to target South Korean entities. Reports stated that the malware is a variation of the GoBear backdoor that could be transmitted on a trojanised software installer.
Earlier this year, researchers reported a campaign in which Kimsuky leveraged trojanised versions of numerous software solutions to infect South Korean targets with Troll Stealer and the Go-based Windows malware GoBear.
A separate analyst also investigated the same campaign targeting South Korean government entities and uncovered a new malicious tool that looks like a Linux counterpart of the GoBear backdoor.
Gomir backdoor is the alleged Linux variant of the notorious GoBear malware.
The Gomir backdoor is similar to GoBear in several ways, such as direct C2 communication, persistence capabilities, and the ability to run various commands.
Upon installation, this new Linux variant examines the group ID value to see if it has root capabilities on the Linux machine before copying itself to /var/log/syslogd to establish persistence.
Subsequently, it creates a systemd service named ‘syslogd’ and runs commands to start the service before removing the original executable and terminating the first process.
Next, the backdoor configures a crontab command to run upon system reboot by generating a helper file (‘cron.txt’) in the current working directory. However, the malware will remove the helper file if the crontab list is successfully updated.
Researchers confirmed that Gomir supports 17 different operations executed when the command-and-control server receives the corresponding command via HTTP POST requests.
Some confirmed commands that the Gomir backdoor can execute are terminating communication with the C2 server, running arbitrary shell commands, reporting the current working directory, changing the working directory, and probing network endpoints.
The researchers also noted that these command lists are almost identical to those supported by the GoBear Windows backdoor. Based on further examination, supply-chain attacks are the primary attack strategy of the North Korean espionage actors.
Furthermore, the researchers claimed that the trojanised software seems to have been carefully selected by the threat actors to maximise their chances of infecting its targeted South Korean entity.
