North Korean hacker group Kimsuky has unveiled a new Linux malware named "Gomir," a variant of the GoBear backdoor. This development marks a significant advancement in the group's cyber espionage tactics. Kimsuky, linked to North Korea’s military intelligence, the Reconnaissance General Bureau (RGB), has a history of sophisticated cyber attacks aimed primarily at South Korean entities.
In early February 2024, researchers at SW2, a threat intelligence company, reported a campaign by Kimsuky involving trojanized versions of various software solutions. These included TrustPKI and NX_PRNMAN from SGA Solutions and Wizvera VeraPort. The primary targets were South Korean entities, and the malicious software delivered the Troll Stealer and Go-based Windows malware known as GoBear.
Further investigation by Symantec, a Broadcom company, revealed that the same campaign also deployed a Linux variant of the GoBear backdoor, dubbed "Gomir." This new malware shares many similarities with its Windows counterpart, featuring direct command and control (C2) communication, persistence mechanisms, and support for executing a wide range of commands.
Upon installation, Gomir checks the group ID value to determine if it runs with root privileges on the Linux machine.
It then copies itself to /var/log/syslogd for persistence, creates a systemd service named ‘syslogd,’ and issues commands to start the service. Following these steps, the original executable is deleted, and the initial process is terminated.
To ensure it runs on system reboot, the backdoor attempts to configure a crontab command by creating a helper file ('cron.txt') in the current working directory. If successful, the helper file is removed.
Gomir supports 17 operations triggered by commands received from the C2 via HTTP POST requests.
These operations include pausing communication with the C2 server, executing arbitrary shell commands, reporting the current working directory, probing network endpoints, and more. Notably, these commands are almost identical to those supported by the GoBear Windows backdoor, highlighting the malware's versatility and Kimsuky's ability to adapt its tools across different operating systems.
Symantec researchers have pointed out that supply-chain attacks, such as trojanized software installers and fake installers, are a preferred attack method for North Korean espionage actors.
The choice of software for trojanization seems to be carefully selected to maximize infection rates among South Korean targets. By compromising widely used software solutions, Kimsuky increases its chances of infiltrating targeted systems and exfiltrating valuable data.
The implications of Kimsuky's activities are significant. By enhancing their malware capabilities and expanding their target range to include Linux systems, Kimsuky poses a heightened threat to organizations, particularly those in South Korea.
The use of advanced malware like Gomir demonstrates the group's continuous evolution and sophistication in cyber espionage.
Symantec's report on this campaign includes a set of indicators of compromise (IOCs) for multiple malicious tools observed, including Gomir, Troll Stealer, and the GoBear dropper. These IOCs are crucial for cybersecurity professionals to detect and mitigate the impact of these threats.
As the digital landscape continues to evolve, the need for robust cybersecurity measures becomes ever more critical. Organizations, especially those in high-target regions like South Korea, must remain vigilant and proactive in their defense strategies. This includes regularly updating software, conducting thorough security assessments, and implementing comprehensive threat detection and response mechanisms.
The emergence of Gomir and similar threats underscores the importance of international cooperation in combating cybercrime. By sharing intelligence and collaborating on cybersecurity initiatives, nations can better protect their critical infrastructure and sensitive data from sophisticated threat actors like Kimsuky.