๐ North Korean APT Kimsuky Deploys New Gomir Linux Backdoor in Targeted Attacks
๐ก Newskategorie: Hacking
๐ Quelle: blackhatethicalhacking.com
North Korean APT Kimsuky Deploys New Gomir Linux Backdoor in Targeted Attacks
North Korean APT Kimsuky Deploys New Gomir Linux Backdoor in Targeted Attacks
The North Korean hacker group Kimsuky has introduced a new Linux malware called Gomir, a variant of the GoBear backdoor, delivered through trojanized software installers.
State-Sponsored Threat Actor
Kimsuky, linked to North Koreaโs military intelligence agency, the Reconnaissance General Bureau (RGB), has been targeting South Korean organizations using this new malware. The advanced persistent threat (APT) group has a history of espionage activities, utilizing sophisticated malware to achieve their objectives.
Discovery of Gomir Backdoor
In early February 2024, researchers at the SW2 threat intelligence company uncovered a campaign where Kimsuky
used trojanized versions of various software solutions such as TrustPKI and NX_PRNMAN from SGA Solutions, and Wizvera VeraPort, to infect South Korean targets with Troll Stealer and the Go-based Windows malware GoBear.
Analysts at Symantec, a Broadcom company, investigating the same campaign targeting South Korean government organizations, discovered a new malicious tool, identified as a Linux variant of the GoBear backdoor, named Gomir.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
The Gomir Backdoor
Gomir shares many similarities with GoBear, featuring direct command and control (C2) communication, persistence mechanisms, and support for executing a wide range of commands. Upon installation, the malware checks the group ID value to determine if it runs with root privileges on the Linux machine, and then copies itself to /var/log/syslogd for persistence.
Next, it creates a systemd service named โsyslogdโ and issues commands to start the service before deleting the original executable and terminating the initial process. The backdoor also attempts to configure a crontab command to run on system reboot by creating a helper file (โcron.txtโ) in the current working directory. If the crontab list is updated successfully, the helper file is removed as well.
Functionality and Commands
Gomir supports 17 operations, triggered when the corresponding command is received from the C2 via HTTP POST requests:
- Pause communication with the C&C server.
- Execute arbitrary shell commands.
- Report the current working directory.
- Change the working directory.
- Probe network endpoints.
- Terminate its own process.
- Report the executable pathname.
- Collect statistics about directory trees.
- Report system configuration details (hostname, username, CPU, RAM, network interfaces).
- Configure a fallback shell for executing commands.
- Configure a codepage for interpreting shell command output.
- Pause communication until a specified datetime.
- Respond with โNot implemented on Linux!โ
- Start a reverse proxy for remote connections.
- Report control endpoints for the reverse proxy.
- Create arbitrary files on the system.
- Exfiltrate files from the system.
According to Symantec researchers, the commands above โare almost identical to those supported by the GoBear Windows backdoor.โ
Trending: Offensive Security Tool: 403jump
Preferred Attack Method
Based on the analysis of the campaign, researchers believe that supply-chain attacks (through software, trojanized installers, and fake installers) represent the preferred attack method for North Korean espionage actors. The choice of software to be trojanized โappears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.โ
Symantecโs report includes a set of indicators of compromise for multiple malicious tools observed in the campaign, including Gomir, Troll Stealer, and the GoBear dropper. The findings underscore the growing sophistication and targeted nature of Kimsukyโs cyber-espionage operations.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
FBI Shuts Down Infamous BreachForums in International Cybercrime Crackdown
D-Linkโs DIR-X4860 Vulnerable to Remote Command Execution with Zero-Day Exploit and Released PoC
Apple: Security Patch Rollout Shields Older iPhones from Zero-Day Attacks
Malicious Python Package Conceals Golang-based Sliver C2 Framework
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
