Symantec researchers observed the North Korea-linked group Kimsuky<\/a> using a new Linux backdoor dubbed Gomir. The malware is a version of the GoBear backdoor which was delivered in a recent campaign by Kimsuky via Trojanized software installation packages.
Kimsuky\u00a0cyberespionage group\u00a0<\/a>(aka Springtail,\u00a0ARCHIPELAGO, Black Banshee,\u00a0Thallium<\/a>, Velvet Chollima,\u00a0APT43<\/a>) was first\u00a0spotted<\/a>\u00a0by Kaspersky researcher in 2013.
Gomir and GoBear share a great portion of their code.<\/p>\n\n\n\n
Researchers from South Korean security firm S2W first uncovered<\/a> the compaign in February 2024, the threat actors were observed delivering a new malware family named Troll Stealer using Trojanized software installation packages. Troll Stealer supports multiple stealing capabilities, it allows operators to gather files, screenshots, browser data, and system information. The malicious code is written in Go, and researchers noticed that Troll Stealer contained a large amount of code overlap with earlier Kimsuky malware.<\/p>\n\n\n\n
Troll Stealer can also copy the GPKI (Government Public Key Infrastructure) folder on infected computers.\u00a0GPKI is the public key infrastructure schema<\/a>\u00a0for South Korean government personnel and state organizations, suggesting that government agencies were among the targeted by state-sponsored hackers.<\/p>\n\n\n\n
Symantec also discovered that Troll Stealer was also delivered in Trojanized Installation packages for Wizvera VeraPort<\/a>. <\/p>\n\n\n\n
Wizvera VeraPort was\u00a0previously reported to have been compromised<\/a>\u00a0by a supply chain attack conducted by North Korea-linked group Lazarus<\/a>.<\/p>\n\n\n\n
“Troll Stealer appears to be related to another recently discovered Go-based backdoor named GoBear. Both threats are signed with a legitimate certificate issued to \u201cD2innovation Co.,LTD\u201d. GoBear also contains similar function names to an older Springtail backdoor known as BetaSeed, which was written in C++, suggesting that both threats have a common origin.” reads the report<\/strong><\/a> published by Symantec.
Operation<\/th> | Description<\/th><\/tr><\/thead> |
---|---|
01<\/td> | Pauses communication with the C&C server for an arbitrary time duration.<\/td><\/tr> |
02<\/td> | Executes an arbitrary string as a shell command (“[shell]” “-c” “[arbitrary_string]”). The shell used is specified by the environment variable “SHELL”, if present. Otherwise, a fallback shell is configured by operation 10 below.<\/td><\/tr> |
03<\/td> | Reports the current working directory.<\/td><\/tr> |
04<\/td> | Changes the current working directory and reports the working directory\u2019s new pathname.<\/td><\/tr> |
05<\/td> | Probes arbitrary network endpoints for TCP connectivity.<\/td><\/tr> |
06<\/td> | Terminates its own process. This stops the backdoor.<\/td><\/tr> |
07<\/td> | Reports the executable pathname of its own process (the backdoor executable).<\/td><\/tr> |
08<\/td> | Collects statistics about an arbitrary directory tree and reports: total number of subdirectories, total number of files, total size of files<\/td><\/tr> |
09<\/td> | Reports the configuration details of the affected computer: hostname, username, CPU, RAM, network interfaces, listing each interface name, MAC, IP, and IPv6 address<\/td><\/tr> |
10<\/td> | Configures a fallback shell to use when executing the shell command in operation 02. Initial configuration value is “\/bin\/sh”.<\/td><\/tr> |
11<\/td> | Configures a codepage to use when interpreting output from the shell command in operation 02.<\/td><\/tr> |
12<\/td> | Pauses communication with the C&C server until an arbitrary datetime.<\/td><\/tr> |
13<\/td> | Responds with the message “Not implemented on Linux!” (hardcoded).<\/td><\/tr> |
14<\/td> | Starts a reverse proxy by connecting to an arbitrary control endpoint. The communication with the control endpoint is encrypted using the SSL protocol and uses messages consistent with https:\/\/github.com\/kost\/revsocks.git, where the backdoor acts as a proxy client. This allows the remote attacker to initiate connections to arbitrary endpoints on the victim network.<\/td><\/tr> |
15<\/td> | Reports the control endpoints of the reverse proxy.<\/td><\/tr> |
30<\/td> | Creates an arbitrary file on the affected computer.<\/td><\/tr> |
31<\/td> | Exfiltrates an arbitrary file from the affected computer.<\/td><\/tr><\/tbody><\/table> Gomir and GoBear Windows backdoor supports almost the same commands.<\/p>\n\n\n\n The latest Kimsuky campaign highlights that North Korean espionage actors increasingly favor software installation packages and updates as infection vectors. The experts noticed a shift to software supply chain attacks through trojanized software installers and fake software installers. A prominent example is the 3CX supply chain attack<\/a>, stemming from the earlier X_Trader attack. The report also provides indicators of compromise<\/a>\u00a0for artifacts employed in the latest campaign, including the Troll Stealer, Gomir, and the GoBear dropper. Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n (<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0North Korea<\/a>)<\/strong><\/p>\n\n\n\n |