North Korean APT Kimsuky Deploys New Gomir Linux Backdoor in Targeted Attacks

by | May 17, 2024 | News

North Korean APT Kimsuky Deploys New Gomir Linux Backdoor in Targeted Attacks

Post Views: 269




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

North Korean APT Kimsuky Deploys New Gomir Linux Backdoor in Targeted Attacks

The North Korean hacker group Kimsuky has introduced a new Linux malware called Gomir, a variant of the GoBear backdoor, delivered through trojanized software installers.

State-Sponsored Threat Actor

Kimsuky, linked to North Korea’s military intelligence agency, the Reconnaissance General Bureau (RGB), has been targeting South Korean organizations using this new malware. The advanced persistent threat (APT) group has a history of espionage activities, utilizing sophisticated malware to achieve their objectives.

Discovery of Gomir Backdoor

In early February 2024, researchers at the SW2 threat intelligence company uncovered a campaign where Kimsuky

used trojanized versions of various software solutions such as TrustPKI and NX_PRNMAN from SGA Solutions, and Wizvera VeraPort, to infect South Korean targets with Troll Stealer and the Go-based Windows malware GoBear.

Analysts at Symantec, a Broadcom company, investigating the same campaign targeting South Korean government organizations, discovered a new malicious tool, identified as a Linux variant of the GoBear backdoor, named Gomir.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses




Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

The Gomir Backdoor

Gomir shares many similarities with GoBear, featuring direct command and control (C2) communication, persistence mechanisms, and support for executing a wide range of commands. Upon installation, the malware checks the group ID value to determine if it runs with root privileges on the Linux machine, and then copies itself to /var/log/syslogd for persistence.

Next, it creates a systemd service named ‘syslogd’ and issues commands to start the service before deleting the original executable and terminating the initial process. The backdoor also attempts to configure a crontab command to run on system reboot by creating a helper file (‘cron.txt’) in the current working directory. If the crontab list is updated successfully, the helper file is removed as well.

Functionality and Commands

Gomir supports 17 operations, triggered when the corresponding command is received from the C2 via HTTP POST requests:

  • Pause communication with the C&C server.
  • Execute arbitrary shell commands.
  • Report the current working directory.
  • Change the working directory.
  • Probe network endpoints.
  • Terminate its own process.
  • Report the executable pathname.
  • Collect statistics about directory trees.
  • Report system configuration details (hostname, username, CPU, RAM, network interfaces).
  • Configure a fallback shell for executing commands.
  • Configure a codepage for interpreting shell command output.
  • Pause communication until a specified datetime.
  • Respond with “Not implemented on Linux!”
  • Start a reverse proxy for remote connections.
  • Report control endpoints for the reverse proxy.
  • Create arbitrary files on the system.
  • Exfiltrate files from the system.

According to Symantec researchers, the commands above “are almost identical to those supported by the GoBear Windows backdoor.”

Trending: Understanding the Advantages and Challenges of Zero Trust Security




Trending: Offensive Security Tool: 403jump

Preferred Attack Method

Based on the analysis of the campaign, researchers believe that supply-chain attacks (through software, trojanized installers, and fake installers) represent the preferred attack method for North Korean espionage actors. The choice of software to be trojanized “appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”

Symantec’s report includes a set of indicators of compromise for multiple malicious tools observed in the campaign, including Gomir, Troll Stealer, and the GoBear dropper. The findings underscore the growing sophistication and targeted nature of Kimsuky’s cyber-espionage operations.

Trending: TunnelVision: The New VPN Bypass Technique Exposing Users to Surveillance

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This