TLDR:
- The Kimsuky APT group, linked to North Korea’s Reconnaissance General Bureau, has been observed deploying a Linux backdoor codenamed Gomir in cyber attacks targeting South Korean organizations.
- Gomir is structurally almost identical to the GoBear backdoor, with extensive code sharing between the variants.
In a recent report, the Symantec Threat Hunter Team identified the Kimsuky APT group, also known as Springtail and linked to North Korea’s Reconnaissance General Bureau, deploying a Linux version of the GoBear backdoor named Gomir in cyber attacks targeting South Korean organizations. The malware is structurally almost identical to GoBear, with extensive code sharing between the variants.
GoBear, originally documented by South Korean security firm S2W, was part of a campaign that also included the delivery of Troll Stealer malware. This campaign involved distributing malware through trojanized security programs downloaded from South Korean websites. Gomir, the Linux counterpart of GoBear, supports various commands, allowing operators to execute remote commands, run shell commands, and more.
The malware is distributed through fake installers as well as through droppers disguised as installers for Korean apps. Symantec reported that the software installation packages and updates are now popular infection vectors for North Korean espionage actors, with software being chosen carefully to maximize chances of infecting South Korean targets.