The Kimsuky APT group, which is closely linked to the North Korean military intelligence organization, has been deploying a newly discovered Linux backdoor in attacks against organizations in South Korea.
The backdoor is known as Gomir and is closely related to another piece of malware called GoBear, which is built for Windows targets. Researchers from Symantec discovered Gomir and said that it is also linked to Troll Stealer, an info stealer that Kimsuky was distributing in the last few months through compromised software packages. Kimsuky, which Symantec refers to as Springtail, has been active for more than a decade and is associated mainly with attacks on South Korean government and private sector organizations. The group is highly capable and develops an array of custom tools for its attacks. In November, the Department of the Treasury and government agencies from several European countries announced sanctions against Kimsuky and eight North Korean nationals.
The Gomir backdoor is the latest addition to Kimusky’s arsenal, which is considerable. The group has a wide range of custom and public tools at its disposal and is not shy about deploying them. Symantec’s researchers discovered the Gomir backdoor during investigations into Kimsuky’s use of Troll Stealer and GoBear.
“Symantec’s investigation into the attacks uncovered a Linux version of this malware family (Linux.Gomir) which is structurally almost identical and shares an extensive amount of distinct code with the Windows Go-based backdoor GoBear. Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir,” Symantec’s analysis of the backdoor says.
Supply chain attacks have emerged as a key technique for many APT groups, and the past few years have seen several high-profile attacks that involved supply chain compromises. The SolarWinds, 3CX, and Kaseya attacks all had significant repercussions across a wide range of sectors, and those results didn’t go unnoticed by other attackers. Supply chain intrusions can provide a tremendous amount of return on investment.
“This latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors,” the Symantec analysis says.
“The most notable example to date is the 3CX supply chain attack, which itself was the result of the earlier X_Trader supply chain attack. Springtail, meanwhile, has focused on Trojanized software installers hosted on third-party sites requiring their installation or masquerading as official apps. The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”
The Gomir backdoor has a number of capabilities, including the ability to check arbitrary endpoints for TCP connections, discover and report the configuration of the machine it’s on, create a file on the machine, and exfiltrate any files from the computer.