The Gomir Backdoor Threat Deployed by an Advanced Persistent Threat Initiating Korean Cyberattacks

The Kimsuky advanced persistent threat (APT) group, also known as Springtail, has launched a new cyber espionage campaign. This group, linked to North Korea's Reconnaissance General Bureau (RGB), is now deploying a Linux variant of its GoBear backdoor, named Gomir, targeting South Korean organizations.

Background on Kimsuky and GoBear

The Kimsuky group has a history of targeting South Korean entities with various malware. The GoBear backdoor, which Gomir is based on, was first documented by South Korean security firm S2W in early February 2024. This campaign delivered malware called Troll Stealer, which shares characteristics with other Kimsuky malware families like AppleSeed and AlphaSeed.

The Emergence of Gomir

According to the Symantec Threat Hunter Team, Gomir is nearly identical to GoBear, with a significant overlap in code between the two. Any operating system-dependent functionality in GoBear has been either omitted or reimplemented in Gomir. This backdoor supports up to 17 commands, allowing its operators to execute various tasks such as file operations, starting a reverse proxy, pausing command-and-control (C2) communications, running shell commands, and terminating its own process.

Distribution Methods

The AhnLab Security Intelligence Center (ASEC) discovered that the malware is being distributed via trojanized security programs downloaded from an unspecified South Korean construction-related association's website. These compromised programs include nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort. Notably, WIZVERA VeraPort was previously subjected to a software supply chain attack by the Lazarus Group in 2020.

Symantec also observed Troll Stealer being delivered through rogue installers for Wizvera VeraPort. However, the exact distribution mechanism of these installation packages remains unknown. Additionally, the malware is propagated through droppers masquerading as fake installers for applications related to a Korean transport organization.

Common Origins and Functionality

Symantec's analysis indicates that GoBear and Gomir share function names with an older Springtail backdoor called BetaSeed, written in C++. This similarity suggests a common origin for these threats. Both malware variants support capabilities to execute commands received from a remote server, highlighting their versatility and potential for extensive espionage activities.

Implications and Conclusion

This latest campaign underscores the increasing sophistication of North Korean cyber espionage actors. By targeting software installation packages and updates, they maximize the chances of infecting their intended South Korean-based targets. The carefully chosen software targets indicate a strategic approach to cyber espionage, aiming to gain unauthorized access to sensitive information.

The continued evolution and deployment of backdoors like GoBear and Gomir illustrate the persistent threat posed by the Kimsuky APT group. Organizations, particularly in South Korea, must remain vigilant and enhance their cybersecurity measures to defend against such sophisticated attacks.

May 17, 2024

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.