Gomir Backdoor

The Kimsuky group, also known as Springtail, is an Advanced Persistent Threat (APT) group associated with North Korea's Reconnaissance General Bureau (RGB). Recent observations reveal their deployment of a Linux adaptation of the GoBear backdoor within a campaign aimed at South Korean entities.

Named Gomir, this backdoor closely mirrors the structure of GoBear, featuring a significant overlap of code between the two malware versions. Notably, Gomir lacks any functionalities from GoBear that are dependent on a specific operating system, either being absent altogether or reconfigured for compatibility within the Linux environment.

The Gomir Backdoor’s Predecessor Has Been Used to Deliver Threatening Malware

In early February 2024, researchers documented the emergence of GoBear in connection with a campaign that distributed malware known as Troll Stealer, also called TrollAgent. Further examination of the post-infection malware revealed similarities with established Kimsuky malware families such as AppleSeed and AlphaSeed.

Subsequent analysis uncovered that the malware is propagated through trojanized security programs obtained from a website associated with a South Korean construction-related association, although the specific association remains undisclosed. The compromised programs include nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort. Notably, WIZVERA VeraPort had previously been targeted in a supply chain attack carried out by the Lazarus Group in 2020.

Additionally, it has been noted that the Troll Stealer malware is being disseminated through illegitimate installers designed for Wizvera VeraPort. However, the specific method used to distribute these installation packages remains currently unknown.

The Gomir Backdoor Is Designed Specifically to Infect Linux Systems

GoBear exhibits resemblances in function names to an older Springtail backdoor called BetaSeed, written in C++, indicating a potential common origin between the two threats. This malware is equipped with capabilities to execute commands from a remote server and is spread through droppers disguised as counterfeit installers for an application associated with a Korean transportation organization.

Its Linux variant, Gomir, boasts a set of 17 commands, empowering the attackers to conduct file operations, initiate a reverse proxy, temporarily halt Command-and-Control (C2) communications, execute shell commands, and terminate its own process.

This recent Kimsuky campaign underscores the shift towards software installation packages and updates as preferred infection vectors for North Korean espionage actors. The selection of targeted software appears meticulously tailored to enhance the likelihood of infecting intended South Korean targets.

Implement Effective Measures Against Malware Attacks

Effective countermeasures against backdoor infections involve a multi-layered approach aimed at prevention, detection, and response. Here are some best practices:

• Up-to-date Security Software: Ensure all security software, including anti-malware programs, is updated regularly to detect and remove backdoors and other threats.
• Regular Software Updates: Operating systems, applications, and firmware should have the latest security patches to mitigate known vulnerabilities that backdoors often exploit.
• Network Segmentation: Set up network segmentation to isolate critical systems and limit the spread of infections if a backdoor is present.
• Strong Access Controls and Authentication: Enforce strong passwords, implement multi-factor authentication (MFA), and restrict access privileges to reduce the opportunities of unauthorized access to systems.
• Employee Training: Educate employees about social engineering tactics used to deploy backdoors, such as phishing emails, and encourage them to report suspicious activities promptly.
• Application Whitelisting: Use application whitelisting only to allow approved programs to run, preventing unauthorized or malicious software, including backdoors, from executing.
• Behavioral Analysis: Employ tools that monitor system behavior for anomalous activities indicative of backdoor infections, such as unexpected network connections or file modifications.
• Regular Security Audits: Conduct routine security audits and penetration testing to recognize and address vulnerabilities that could be exploited by backdoors.
• Backup and Recovery: Implement regular data backups stored in an independent environment to mitigate the impact of a backdoor infection and facilitate recovery in case of data loss.

By adopting a proactive approach that combines preventive measures with robust detection and response capabilities, organizations can enhance their resilience against backdoor infections and mitigate the associated risks effectively.