North Korean Hackers Deploy New Linux Backdoor Through Trojanized Installers

A North Korean hacker group known as Kimsuki has recently been identified using a new Linux malware named Gomir. This malware is actually a version of the GoBear backdoor that is being delivered through trojanized software installers.

Kimsuki is a state-sponsored threat actor that has connections to North Korea’s military intelligence agency, the Reconnaissance General Bureau (RGB).

Researchers at the SW2 threat intelligence company uncovered a campaign in early February 2024 where Kimsuki used trojanized versions of popular software solutions to infect South Korean targets with malicious software. Symantec analysts also investigated the same campaign and found a new malicious tool that appears to be a Linux variant of the GoBear backdoor.

The Gomir backdoor shares many similarities with GoBear and has capabilities for direct command and control communication, persistence mechanisms, and executing various commands. Upon installation, the malware checks for root privileges on the Linux machine and creates files for persistence, such as a ‘systemd’ service named ‘syslogd’ and a ‘cron.txt’ file for configuring system reboot commands.

Gomir supports a wide range of operations, triggered by commands received from the command and control (C2) server. These operations include executing shell commands, probing network endpoints, and exfiltrating files from the system.

According to Symantec researchers, the commands supported by Gomir are very similar to those found in the GoBear Windows backdoor.

The researchers believe that supply-chain attacks involving trojanized installers and fake software represent the preferred method of attack for North Korean espionage actors. They note that the choice of software to be trojanized seems to have been carefully selected to target South Korean-based victims.

Symantec’s report includes indicators of compromise for multiple malicious tools observed in the campaign, including Gomir, Troll Stealer, and the GoBear dropper.

, , , , , , ,
Show Comments

Fabio

Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles