Kimsuky, a notorious North Korean state-sponsored threat actor, has used a brand new backdoor to attack victims’ Linux devices.
Cybersecurity researchers Symantecwho call the backdoor Gomir, claim that the new threat is actually a fork of the GoBear backdoor.
The similarities between Gomir and GoBear include direct C2 communication, persistence methods, and various capabilities such as pausing communication with C2, executing arbitrary shell commands, changing the working directory, examining network endpoints, reporting system configuration details , starting a reverse proxy for remote connections, creating arbitrary files on the system, exfiltrating files from the system, and more.
North Korean cyber espionage
These are all “nearly identical” to what GoBear does on a Windows machine, Symantec said.
Being a state-sponsored group, Kimsuky typically targets high-end organizations, both in the private and public sectors, abroad (mainly South Korea). In many previous cases, Kimsuky has been spotted engaging in supply chain attacks, compromising legitimate software later used by target organizations, which was likely the case here as well.
Kimsuky is also known as Thallium or Velvet Chollima. The group has been active since at least 2012 and, in addition to South Korea, is known for targeting entities in the United States, Japan and other countries. Their primary focus is on intelligence gathering and cyber espionage rather than financial gain.
The group usually engages in spear phishing and social engineering to deploy infosteal malware to their victims. Some of the largest campaigns and incidents include 2013’s Operation Kimsuky (targeting South Korean think tanks and universities), 2020 Covid-19-related attacks (targeting organizations involved in developing the vaccine), and attacks in the energy sector in 2021.
Since phishing is Kimsuky’s primary method of compromise, the best way to defend against the group is to educate and train employees to recognize and respond to phishing emails.