The Gomir Backdoor Threat Deployed by an Advanced Persistent Threat Initiating Korean Cyberattacks
The Kimsuky advanced persistent threat (APT) group, also known as Springtail, has launched a new cyber espionage campaign. This group, linked to North Korea's Reconnaissance General Bureau (RGB), is now deploying a Linux variant of its GoBear backdoor, named Gomir, targeting South Korean organizations.
Table of Contents
Background on Kimsuky and GoBear
The Kimsuky group has a history of targeting South Korean entities with various malware. The GoBear backdoor, which Gomir is based on, was first documented by South Korean security firm S2W in early February 2024. This campaign delivered malware called Troll Stealer, which shares characteristics with other Kimsuky malware families like AppleSeed and AlphaSeed.
The Emergence of Gomir
According to the Symantec Threat Hunter Team, Gomir is nearly identical to GoBear, with a significant overlap in code between the two. Any operating system-dependent functionality in GoBear has been either omitted or reimplemented in Gomir. This backdoor supports up to 17 commands, allowing its operators to execute various tasks such as file operations, starting a reverse proxy, pausing command-and-control (C2) communications, running shell commands, and terminating its own process.
Distribution Methods
The AhnLab Security Intelligence Center (ASEC) discovered that the malware is being distributed via trojanized security programs downloaded from an unspecified South Korean construction-related association's website. These compromised programs include nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort. Notably, WIZVERA VeraPort was previously subjected to a software supply chain attack by the Lazarus Group in 2020.
Symantec also observed Troll Stealer being delivered through rogue installers for Wizvera VeraPort. However, the exact distribution mechanism of these installation packages remains unknown. Additionally, the malware is propagated through droppers masquerading as fake installers for applications related to a Korean transport organization.
Common Origins and Functionality
Symantec's analysis indicates that GoBear and Gomir share function names with an older Springtail backdoor called BetaSeed, written in C++. This similarity suggests a common origin for these threats. Both malware variants support capabilities to execute commands received from a remote server, highlighting their versatility and potential for extensive espionage activities.
Implications and Conclusion
This latest campaign underscores the increasing sophistication of North Korean cyber espionage actors. By targeting software installation packages and updates, they maximize the chances of infecting their intended South Korean-based targets. The carefully chosen software targets indicate a strategic approach to cyber espionage, aiming to gain unauthorized access to sensitive information.
The continued evolution and deployment of backdoors like GoBear and Gomir illustrate the persistent threat posed by the Kimsuky APT group. Organizations, particularly in South Korea, must remain vigilant and enhance their cybersecurity measures to defend against such sophisticated attacks.
