Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

The Kimsuky (aka Springtail) advanced persistent threat (APT) group, which is linked to North Korea’s Reconnaissance General Bureau (RGB), has been observed deploying a Linux version of its GoBear backdoor as part of a campaign targeting South Korean organizations.

The backdoor, codenamed Gomir, is “structurally almost identical to GoBear, with extensive sharing of code between malware variants,” the Symantec Threat Hunter Team, part of Broadcom, said in a new report. “Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir.”

GoBear was first documented by South Korean security firm S2W in early February 2024 in connection with a campaign that delivered a malware called Troll Stealer (aka TrollAgent), which overlaps with known Kimsuky malware families like AppleSeed and AlphaSeed.

A subsequent analysis by the AhnLab Security Intelligence Center (ASEC) revealed that the malware is distributed via trojanized security programs downloaded from an unspecified South Korean construction-related association’s website.

This includes nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort, the last of which was previously subjected to a software supply chain attack by the Lazarus Group in 2020.

“GoBear also contains similar function names to an older Springtail backdoor known as BetaSeed, which was written in C++, suggesting that both threats have a common origin,” the company noted.

“This latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors,” Symantec said.

“The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”