North Korea-Linked Kimsuky Hackers Use Gomir Backdoor on Linux

State-sponsored hackers from North Korea are back once again for another campaign.

The North Korean cyber-espionage group Kimsuki, linked to the military intelligence agency Reconnaissance General Bureau (RGB), has unveiled a new Linux malware known as Gomir.

This malware is a variant of the GoBear backdoor, distributed through trojanized software installers. The threatening actions of these state-sponsored hackers alert experts about the scope of the attack on the systems.

Kimsuki's Recent Campaigns

VPN Hack
Kevin Ku from Unsplash

SW2 threat intelligence researchers revealed a campaign where Kimsuki used compromised software versions like TrustPKI, NX_PRNMAN from SGA Solutions, and Wizvera VeraPort three months ago.

These trojanized installers were designed to infect South Korean targets with malware such as Troll Stealer and the GoBear backdoor for Windows.

Analysts at Symantec, a Broadcom company, also identified a Linux version of GoBear while investigating attacks on South Korean government entities.

Behind the Gomir Backdoor

Based on Bleeping Computer's investigation, Gomir exhibits features similar to GoBear, including direct command and control (C2) communication, persistence mechanisms, and support for various commands.

Upon installation, Gomir verifies if it has root privileges on the Linux system by checking the group ID value. It then copies itself to the /var/log/syslogd directory for persistence.

Persistence and Execution

To ensure persistence, Gomir creates a system service named 'syslogd' and initiates this service, deleting the original executable and terminating the initial process.

Additionally, the backdoor attempts to configure a crontab command to run upon system reboot by creating a helper file ('cron.txt') in the working directory. If the crontab list updates successfully, the helper file is removed.

Supported Operations

Gomir supports 17 operations triggered by commands from the C2 server via HTTP POST requests. These operations include:

  • Pausing communication with the C2 server.
  • Executing arbitrary shell commands.
  • Reporting the current working directory.
  • Changing the working directory.
  • Probing network endpoints.
  • Terminating its own process.
  • Reporting the executable pathname.
  • Collecting directory tree statistics.
  • Reporting system configuration details (hostname, username, CPU, RAM, network interfaces).
  • Configuring a fallback shell for executing commands.
  • Configuring a codepage for interpreting shell command output.
  • Pausing communication until a specified datetime.
  • Responding with "Not implemented on Linux!"
  • Starting a reverse proxy for remote connections.
  • Reporting control endpoints for the reverse proxy.
  • Creating arbitrary files on the system.
  • Exfiltrating files from the system.

According to Symantec, these commands are nearly identical to those supported by the GoBear Windows backdoor.

Supply-Chain Attack Strategies

Researchers believe supply-chain attacks involving trojanized software installers are preferred for North Korean espionage actors like Kimsuki. The carefully chosen software to be trojanized maximizes the chances of infection among the intended South Korean targets.

Indicators of Compromise

Symantec's report on the campaign includes a set of indicators of compromise for several malicious tools observed, including Gomir, Troll Stealer, and the GoBear dropper. These indicators help cybersecurity professionals detect and mitigate threats posed by these tools.

The emergence of Gomir is only one of many North Korea-linked attacks. Aside from Kimsuki, there are still more dangerous hackers out there. With a focus on supply-chain attacks and malware-ridden exploits, organizations need to be watchful for these campaigns.

In the US, the DOJ unveiled arrests of people behind the identity theft plot in North Korea. The operation reportedly attacked American corporations.

Joseph Henry
Tech Times
ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics