Pierluigi Paganini
May 19, 2024
Symantec researchers observed the North Korea-linked group Kimsuky using a new Linux backdoor dubbed Gomir. The malware is a version of the GoBear backdoor which was delivered in a recent campaign by Kimsuky via Trojanized software installation packages.
Kimsuky cyberespionage group (aka Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researcher in 2013. The APT group mainly targets think tanks and organizations in South Korea, other victims were in the United States, Europe, and Russia.
In 2023 the state-sponsored group focused on nuclear agendas between China and North Korea, relevant to the ongoing war between Russia and Ukraine.
Gomir and GoBear share a great portion of their code.
Researchers from South Korean security firm S2W first uncovered the compaign in February 2024, the threat actors were observed delivering a new malware family named Troll Stealer using Trojanized software installation packages. Troll Stealer supports multiple stealing capabilities, it allows operators to gather files, screenshots, browser data, and system information. The malicious code is written in Go, and researchers noticed that Troll Stealer contained a large amount of code overlap with earlier Kimsuky malware.
Troll Stealer can also copy the GPKI (Government Public Key Infrastructure) folder on infected computers. GPKI is the public key infrastructure schema for South Korean government personnel and state organizations, suggesting that government agencies were among the targeted by state-sponsored hackers.
The malware was distributed inside the installation packages for TrustPKI and NX_PRNMAN, software developed by SGA Solutions. Victims downloaded the packages from a page that was redirected from a specific website.
Symantec also discovered that Troll Stealer was also delivered in Trojanized Installation packages for Wizvera VeraPort.
The WIZVERA VeraPort integration installation program is used to manage additional security software (e.g., browser plug-ins, security software, identity verification software, etc.) that is requested to visit particular government and banking domains. WIZVERA VeraPort is used to digitally sign and verify downloads.
Wizvera VeraPort was previously reported to have been compromised by a supply chain attack conducted by North Korea-linked group Lazarus.
“Troll Stealer appears to be related to another recently discovered Go-based backdoor named GoBear. Both threats are signed with a legitimate certificate issued to “D2innovation Co.,LTD”. GoBear also contains similar function names to an older Springtail backdoor known as BetaSeed, which was written in C++, suggesting that both threats have a common origin.” reads the report published by Symantec.
When executed, the malware checks the group ID value to determine if it is running as group 0 (group is associated with the superuser or administrative privileges) on the Linux machine, and then copies itself to /var/log/syslogd to maintain persistence persistence.
It creates a systemd service named ‘syslogd’ and starts it, then deletes the original executable and terminates the initial process. The backdoor also attempts to configure a crontab command to run on system reboot by creating a helper file (‘cron.txt’) in the current directory. If the crontab list is successfully updated, the malware deletes the helper file without any command-line parameters before executing it.
The Gomir backdoor periodically communicates with its C2 via HTTP POST requests to http://216.189.159[.]34/mir/index.php
The malicious code pools the commands to execute, and the researchers observed it supporting multiple commands. including:
| Operation | Description |
|---|---|
| 01 | Pauses communication with the C&C server for an arbitrary time duration. |
| 02 | Executes an arbitrary string as a shell command (“[shell]” “-c” “[arbitrary_string]”). The shell used is specified by the environment variable “SHELL”, if present. Otherwise, a fallback shell is configured by operation 10 below. |
| 03 | Reports the current working directory. |
| 04 | Changes the current working directory and reports the working directory’s new pathname. |
| 05 | Probes arbitrary network endpoints for TCP connectivity. |
| 06 | Terminates its own process. This stops the backdoor. |
| 07 | Reports the executable pathname of its own process (the backdoor executable). |
| 08 | Collects statistics about an arbitrary directory tree and reports: total number of subdirectories, total number of files, total size of files |
| 09 | Reports the configuration details of the affected computer: hostname, username, CPU, RAM, network interfaces, listing each interface name, MAC, IP, and IPv6 address |
| 10 | Configures a fallback shell to use when executing the shell command in operation 02. Initial configuration value is “/bin/sh”. |
| 11 | Configures a codepage to use when interpreting output from the shell command in operation 02. |
| 12 | Pauses communication with the C&C server until an arbitrary datetime. |
| 13 | Responds with the message “Not implemented on Linux!” (hardcoded). |
| 14 | Starts a reverse proxy by connecting to an arbitrary control endpoint. The communication with the control endpoint is encrypted using the SSL protocol and uses messages consistent with https://github.com/kost/revsocks.git, where the backdoor acts as a proxy client. This allows the remote attacker to initiate connections to arbitrary endpoints on the victim network. |
| 15 | Reports the control endpoints of the reverse proxy. |
| 30 | Creates an arbitrary file on the affected computer. |
| 31 | Exfiltrates an arbitrary file from the affected computer. |
Gomir and GoBear Windows backdoor supports almost the same commands.
The latest Kimsuky campaign highlights that North Korean espionage actors increasingly favor software installation packages and updates as infection vectors. The experts noticed a shift to software supply chain attacks through trojanized software installers and fake software installers. A prominent example is the 3CX supply chain attack, stemming from the earlier X_Trader attack.
“This latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors.” concludes the report. “Springtail, meanwhile, has focused on Trojanized software installers hosted on third-party sites requiring their installation or masquerading as official apps. The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”
The report also provides indicators of compromise for artifacts employed in the latest campaign, including the Troll Stealer, Gomir, and the GoBear dropper.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, North Korea)
