Home Security Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

by


May 17, 2024NewsroomLinux / Malware

The Kimsuky (aka Springtail) advanced persistent threat (APT) group, which is linked to North Korea’s Reconnaissance General Bureau (RGB), has been observed deploying a Linux version of its GoBear backdoor as part of a campaign targeting South Korean organizations.

The backdoor, codenamed Gomir, is “structurally almost identical to GoBear, with extensive sharing of code between malware variants,” the Symantec Threat Hunter Team, part of Broadcom, said in a new report. “Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir.”

Cybersecurity

GoBear was first documented by South Korean security firm S2W in early February 2024 in connection with a campaign that delivered malware called Troll Stealer (aka TrollAgent), which overlaps with known Kimsuky malware families like AppleSeed and AlphaSeed.

A subsequent analysis by the AhnLab Security Intelligence Center (ASEC) revealed that the malware is distributed via trojanized security programs downloaded from an unspecified South Korean construction-related association’s website.

This includes nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort, the last of which was previously subjected to a software supply chain attack by the Lazarus Group in 2020.

Symantec said that it also observed the Troll Stealer malware being delivered via rogue installers for Wizvera VeraPort, although the exact distribution mechanism by which the installation packages get delivered is presently unknown.

“GoBear also contains similar function names to an older Springtail backdoor known as BetaSeed, which was written in C++, suggesting that both threats have a common origin,” the company noted.

The malware, which supports capabilities to execute commands received from a remote server, is also said to be propagated through droppers that masquerade as a fake installer for an app for a Korean transport organization.

Cybersecurity

Its Linux counterpart, Gomir, supports as many as 17 commands, allowing its operators to perform file operations, start a reverse proxy, pause command-and-control (C2) communications for a specified time duration, run shell commands, and terminate its own process.

“This latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors,” Symantec said.

“The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex