The North Korean hacker group Kimsuki has been utilizing a brand new Linux malware known as Gomir that could be a model of the GoBear backdoor delivered through trojanized software program installers.
Kimsuky is a state-sponsored risk actor linked to North Korea’s army intelligence, the Reconnaissance Common Bureau (RGB).
In early February 2024, researchers on the SW2 risk intelligence firm reported a few marketing campaign the place Kimsuky used trojanized variations of varied software program options, e.g. TrustPKI and NX_PRNMAN from SGA Options, Wizvera VeraPort, to contaminate South Korean targets with Troll Stealer and the Go-based Home windows malware GoBear.
Analysts at Symantec, a Broadcom firm, wanting into the identical marketing campaign that focused South Korean authorities organizations, found a brand new malicious software that seems to be a Linux variant of the GoBear backdoor.
The Gomir backdoor
Gomir shares many similarities with GoBear and options direct command and management (C2) communication, persistence mechanisms, and help for executing a variety of instructions.
Upon set up, the malware checks the group ID worth to find out if it runs with root privileges on the Linux machine, after which copies itself to /var/log/syslogd for persistence.
Subsequent, it creates a systemd service named ‘syslogd’ and points instructions that begin the service earlier than deleting the unique executable and terminating the preliminary course of.
The backdoor additionally tries configure a crontab command to run on system reboot by making a helper file (‘cron.txt’) within the present working listing. If the crontab record is up to date efficiently, the helper file is eliminated as nicely.
Gomir helps the next 17 operations, triggered when the corresponding command is obtained from the C2 through HTTP POST requests.
- Pause communication with the C&C server.
- Execute arbitrary shell instructions.
- Report the present working listing.
- Change the working listing.
- Probe community endpoints.
- Terminate its personal course of.
- Report the executable pathname.
- Accumulate statistics about listing timber.
- Report system configuration particulars (hostname, username, CPU, RAM, community interfaces).
- Configure a fallback shell for executing instructions.
- Configure a codepage for deciphering shell command output.
- Pause communication till a specified datetime.
- Reply with “Not implemented on Linux!”
- Begin a reverse proxy for distant connections.
- Report management endpoints for the reverse proxy.
- Create arbitrary recordsdata on the system.
- Exfiltrate recordsdata from the system.
In accordance with Symantec researchers, the instructions above “are almost identical to those supported by the GoBear Windows backdoor.”
Based mostly on the evaluation of the marketing campaign, the researchers imagine that supply-chain assaults (software program, trojanized installers, pretend installers) characterize the popular assault technique for North Korean espionage actors.
The researchers notice that the selection of the software program to be trojanized “appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”
Symantec’s report features a set of indicators of compromise for a number of malicious instruments noticed within the marketing campaign, together with Gomir, Troll Stealer, and the GoBear dropper.
