The Kimsuky APT group, also known as Springtail and linked to North Korea’s Reconnaissance General Bureau (RGB), has launched a new attack against South Korean organizations using a Linux variant of its GoBear backdoor. The Symantec Threat Hunter Team from Broadcom reported that this backdoor, named Gomir, shares significant code similarities with GoBear. OS-dependent features in GoBear are either absent or re-implemented in Gomir.
GoBear and Its Connections
South Korean security firm S2W first identified GoBear in early February 2024. They linked it to the distribution of Troll Stealer, a connection that ties it to Kimsuky malware families like AppleSeed and AlphaSeed. The AhnLab Security Intelligence Center (ASEC) discovered that the malware spreads through trojanized security programs from a website associated with a South Korean construction-related association. These compromised programs include nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort. The Lazarus Group targeted these programs in a 2020 software supply chain attack.
Distribution and Functionality of Gomir
Symantec observed that Troll Stealer spreads through malicious installers for Wizvera VeraPort, although the exact method of delivering these installation packages remains undisclosed. The report also noted that GoBear shares function names with an older Springtail backdoor called BetaSeed, written in C++, suggesting a common origin.
Gomir, the Linux variant of the malware, supports up to 17 commands. These commands enable threat actors to perform various operations such as file manipulations, initiating a reverse proxy, pausing command-and-control (C2) communications for a specified period, executing shell commands, and terminating its own processes. The malware spreads through droppers disguised as fake installers for an application associated with a Korean transport organization.
“This latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors,” Symantec stated. “The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”
Discover a wealth of cyber security articles for comprehensive insights.
