Linux Backdoor Gomir Detection: North Korean Kimsuky APT aka Springtail Spreads New Malware Variant Targeting South Korean Organizations

Heads up! The nefarious cyber-espionage group Kimsuky APT, aka Springtail, enriches its offensive toolkit with a novel malware variant dubbed Linux.Gomir. The novel backdoor, which is considered to be a Linux iteration of the GoBear malware, is leveraged by adversaries in the ongoing cyber attacks against South Korean organizations.

Detect Gomir Backdoor Delivered by Kimsuky APT

The continuously evolving offensive toolkit of the North Korean hacking collective known as Kimsuky APT, aka Springtail, requires ultra-responsiveness from defenders. The latest attack leveraging a set of legitimate software packages and abused by adversaries to spread Linux-based malware iteration underscores the need for increasing proactive defenses. SOC Prime Team curates dedicated Sigma rules to thwart attacks by Kimsuky APT leveraging the Gomir backdoor available via the Explore Detections button below.

Explore Detections

Detection algorithms are mapped to the MITRE ATT&CK® framework and automatically convertible to the industry-leading SIEM, EDR, and Data Lake technologies for seamless cross-platform threat detection. 

Organizations can also rely on the entire detection stack addressing Kimsuky APT adversary activity by following this link to eliminate the risks of related cyber-espionage attacks and future-proof their cybersecurity posture. 

Gomir Backdoor Analysis

The notorious hacking group tracked as Kimsuky APT and linked to North Korea’s Reconnaissance General Bureau (RGB) has been active in the cyber threat landscape for over ten years, with a major focus on intelligence-gathering operations. Threat actors, also known as Springtail, Emerald Sleet, or THALLIUM, have been primarily targeting South Korean public sector entities. Kimsuky has explored diverse attack methods, frequently updating its adversary toolkit and shifting TTPs. 

In the latest campaign uncovered by Symantec researchers, the novel backdoor (Linux.Gomir) appears to be the Linux-based iteration of the Windows Go-based backdoor dubbed GoBear. AhnLab SEcurity intelligence Center (ASEC) revealed further details into the Gomir backdoor related to its delivery via Trojanized software installation packages downloaded from the website of a South Korean construction-related association. The exploited software includes nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort, with the latter being targeted in a supply chain attack by the Lazarus Group in 2020. 

Gomir and GoBear bear structural similarities, displaying a significant code overlap between the two malicious strains. GoBear emerged in the cyber threat arena in early February 2024, linked to a campaign employing a new Golang-based information-stealing malware tracked as Troll Stealer. The latter displays significant code overlap with earlier Kimsuky malware families like AppleSeed and AlphaSeed. Notably, Symantec has also unveiled that Troll Stealer was similarly distributed through Trojanized installation packages for Wizvera VeraPort. GoBear also features similar function names to an older Kimsuky backdoor dubbed BetaSeed, assuming that both threats share a common origin. 

Weeks later after the initially discovered attack, defenders revealed that GoBear was distributed through a dropper disguised as an installer for an app associated with a Korean transport organization. In this case, the attackers masqueraded the dropper as an installer featuring the organization’s logos rather than weaponizing a genuine software package. 

The newly discovered Linux-based backdoor campaign enables running up to 17 commands to perform tasks like file operations, initiating a reverse proxy, temporarily halting C2 communications, executing shell commands, and terminating its own process. Gomir checks its command line after execution. Provided that it detects the string “install” as its sole argument, it attempts to establish persistence by installing itself.

This recent Kimsuky campaign displays the adversary’s increasing preference for using software installation packages and updates as infection vectors. Variations of this adversary tactic include software supply chain attacks and Trojanized and fraudulent software installation packages. The selection of targeted software appears to have been carefully curated to increase the chances of successful intrusions targeting South Korea.

To mitigate the risks related to the Gomir backdoor infections, Symantec recommends referring to the vendor’s corresponding Protection Bulletin, which details potential infection vectors and feasible security protection measures. 

The enhanced sophistication and increased variety of tools applied by the Kimsuky cyber-espionage group fuel the need for proactive cyber defense to successfully preempt malicious intentions. Rely on Uncoder AI, SOC Prime’s AI-powered Detection Engineering suite, to streamline your rule coding, validation, and fine-tuning, accelerate IOC-based hunting to swiftly search for the latest APTs and emerging threats of any scale, and automatically translate your code across multiple SIEM, EDR, and Data lake languages while boosting your engineering team’s productivity and performance.