The Kimsuky (aka Springtail) superior persistent risk (APT) group, which is linked to North Korea’s Reconnaissance Common Bureau (RGB), has been noticed deploying a Linux model of its GoBear backdoor as a part of a marketing campaign concentrating on South Korean organizations.
The backdoor, codenamed Gomir, is “structurally almost identical to GoBear, with extensive sharing of code between malware variants,” the Symantec Risk Hunter Staff, a part of Broadcom, mentioned in a brand new report. “Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir.”
GoBear was first documented by South Korean safety agency S2W in early February 2024 in reference to a marketing campaign that delivered malware known as Troll Stealer (aka TrollAgent), which overlaps with recognized Kimsuky malware households like AppleSeed and AlphaSeed.
A subsequent evaluation by the AhnLab Safety Intelligence Heart (ASEC) revealed that the malware is distributed through trojanized safety applications downloaded from an unspecified South Korean construction-related affiliation’s web site.
This contains nProtect On-line Safety, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort, the final of which was beforehand subjected to a software program provide chain assault by the Lazarus Group in 2020.
Symantec mentioned that it additionally noticed the Troll Stealer malware being delivered through rogue installers for Wizvera VeraPort, though the precise distribution mechanism by which the set up packages get delivered is presently unknown.
“GoBear also contains similar function names to an older Springtail backdoor known as BetaSeed, which was written in C++, suggesting that both threats have a common origin,” the corporate famous.
The malware, which helps capabilities to execute instructions obtained from a distant server, can also be mentioned to be propagated by droppers that masquerade as a faux installer for an app for a Korean transport group.
Its Linux counterpart, Gomir, helps as many as 17 instructions, permitting its operators to carry out file operations, begin a reverse proxy, pause command-and-control (C2) communications for a specified time length, run shell instructions, and terminate its personal course of.
“This latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors,” Symantec mentioned.
“The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”
