The Kimsuky advanced persistent threat (APT) collective, also recognized as Springtail and linked to North Korea’s Reconnaissance General Bureau (RGB), has been detected deploying a Linux iteration of its GoBear backdoor, designated Gomir, in a campaign aimed at South Korean entities.
According to a recent analysis by the Symantec Threat Hunter Team, part of Broadcom, the backdoor dubbed Gomir is “structurally nearly identical to GoBear, with a substantial sharing of code among the malware variants.” They noted that “any functionality in GoBear dependent on the operating system is either absent or reengineered in Gomir.
GoBear was initially chronicled by the South Korean cybersecurity firm S2W in early February 2024, in association with a campaign that propagated malware called Troll Stealer (also known as TrollAgent). This malware overlaps with recognized Kimsuky malware families, including AppleSeed and AlphaSeed.
Subsequent scrutiny by the AhnLab Security Intelligence Center (ASEC) indicated that the malware disseminates through trojanized security software downloaded from an unspecified South Korean construction-related association’s website.
The compromised applications encompass nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort, the latter of which experienced a software supply chain attack by the Lazarus Group in 2020.
Symantec has also observed the Troll Stealer malware being disseminated via rogue installers for Wizvera VeraPort, though the precise method of how the installation packages are distributed remains unclear.”GoBear also retains similar function names to an earlier Springtail backdoor known as BetaSeed, which was crafted in C++, implying both threats originate from a common source,” the company highlighted.
The malware, equipped with capabilities to execute commands received from a remote server, is also reportedly propagated via droppers masquerading as fake installers for an application for a Korean transport organization.
Its Linux version, Gomir, supports up to 17 commands, enabling its operators to perform file operations, initiate a reverse proxy, suspend command-and-control (C2) communications for a specified duration, execute shell commands, and terminate its own process.
“This latest Springtail campaign underscores that software installation packages and updates have become the preferred infection vectors for North Korean espionage operatives,” Symantec remarked.
“The targeted software appears meticulously selected to maximize the probability of infecting the intended South Korean-based targets.”