Kimsuky, an infamous North Korean state-sponsored threat actor, has been using a brand new backdoor to target victims’ Linux devices.
Cybersecurity researchers Symantec, who call the backdoor Gomir, are claiming the new threat is basically a fork of the GoBear backdoor.
Among the similarities between Gomir and GoBear are direct C2 communication, persistence methods, and different capabilities, such as pausing communications with C2, running arbitrary shell commands, changing the working directory, probing network endpoints, reporting system configuration details, starting a reverse proxy for remote connections, creating arbitrary files on the system, exfiltrating files from the system, and more.
North Korean cyber-espionage
All of these are “almost identical” to what GoBear does on a Windows machine, Symantec said.
Being a state-sponsored group, Kimsuky usually targets high-value organizations, in both private and public sectors, abroad (mostly South Korea). In many previous instances, Kimsuky was spotted engaging in supply chain attacks, compromising legitimate software which is later used by target organizations, which was most likely the case here, as well.
Kimsuky is also known as Thallium or Velvet Chollima. The group has been active since at least 2012 and, besides South Korea, is known for targeting entities in the United States, Japan, and other countries. Their primary focus is on intelligence gathering and cyber espionage rather than financial gain.
The group usually engages in spear phishing and social engineering to deploy infostealing malware to their victims. Some of the biggest campaigns and incidents include the 2013 Operation Kimsuky (targeting South Korean think tanks and universities), Covid-19-related attacks from 2020 (targeting organizations engaged in developing the vaccine), and energy sector attacks in 2021.
Since phishing is Kimsuky’s number one compromise method, the best way to defend against the group is to educate and train employees on how to spot and respond to phishing emails.
