The North Korean hacker group Kimsuki has been using a new Linux malware called Gomir that is a version of the GoBear backdoor delivered via trojanized software installers.
Kimsuky is a state-sponsored threat actor linked to North Korea’s military intelligence, the Reconnaissance General Bureau (RGB).
In early February 2024, researchers at the SW2 threat intelligence company reported about a campaign where Kimsuky used trojanized versions of various software solutions, e.g. TrustPKI and NX_PRNMAN from SGA Solutions, Wizvera VeraPort, to infect South Korean targets with Troll Stealer and the Go-based Windows malware GoBear.
Analysts at Symantec, a Broadcom company, looking into the same campaign that targeted South Korean government organizations, discovered a new malicious tool that appears to be a Linux variant of the GoBear backdoor.
The Gomir backdoor
Gomir shares many similarities with GoBear and features direct command and control (C2) communication, persistence mechanisms, and support for executing a wide range of commands.
Upon installation, the malware checks the group ID value to determine if it runs with root privileges on the Linux machine, and then copies itself to /var/log/syslogd for persistence.
Next, it creates a systemd service named ‘syslogd’ and issues commands that start the service before deleting the original executable and terminating the initial process.
The backdoor also tries configure a crontab command to run on system reboot by creating a helper file (‘cron.txt’) in the current working directory. If the crontab list is updated successfully, the helper file is removed as well.
Gomir supports the following 17 operations, triggered when the corresponding command is received from the C2 via HTTP POST requests.
- Pause communication with the C&C server.
- Execute arbitrary shell commands.
- Report the current working directory.
- Change the working directory.
- Probe network endpoints.
- Terminate its own process.
- Report the executable pathname.
- Collect statistics about directory trees.
- Report system configuration details (hostname, username, CPU, RAM, network interfaces).
- Configure a fallback shell for executing commands.
- Configure a codepage for interpreting shell command output.
- Pause communication until a specified datetime.
- Respond with “Not implemented on Linux!”
- Start a reverse proxy for remote connections.
- Report control endpoints for the reverse proxy.
- Create arbitrary files on the system.
- Exfiltrate files from the system.
According to Symantec researchers, the commands above “are almost identical to those supported by the GoBear Windows backdoor.”
Based on the analysis of the campaign, the researchers believe that supply-chain attacks (software, trojanized installers, fake installers) represent the preferred attack method for North Korean espionage actors.
The researchers note that the choice of the software to be trojanized “appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”
Symantec’s report includes a set of indicators of compromise for multiple malicious tools observed in the campaign, including Gomir, Troll Stealer, and the GoBear dropper.