South Korean government networks have tested the power of the Trojan.
Cybersecurity company Symantec identified a new tool of the North Korean group Kimsuki, which is used to attack government and commercial organizations in South Korea.
The new malware is called Gomir and is a Linux version of the well-known Windows-focused GoBear Trojan. The new version has all the main features of its predecessor, including direct communication with the C2 server, saving mechanisms in the system, and support for executing a wide range of commands.
After installation, Gomir checks the value of the group ID to determine if it is running with superuser (root) privileges. The malware then copies itself to the /var/log/syslogd directory to ensure its safety in the system. Next, a systemd service named "syslogd" is created, the service is started, and the original executable file is deleted, ending the initial process.
Gomir also tries to configure the crontab command to be executed on system reboot by creating an auxiliary file "cron.txt" in the current working directory. If updating the crontab list is successful, the auxiliary file is deleted.
The malware supports 17 operations that are performed on commands received via HTTP POST requests from the C2 server. Operations include suspending communication with the C2 server, executing arbitrary shell commands, collecting information about the system (host name, user name, CPU, RAM, network interfaces), creating arbitrary files on the system and exfiltrating them.
Symantec researchers note that the command set for Gomir is almost identical to the commands supported by the Windows version of GoBear. This indicates the use of the same approach in attacks on different operating systems, which confirms the high level of training and organization of the Kimsuki group.
The Symantec report also contains compromise indicators for a variety of malicious tools used in this campaign, including Gomir, Troll Stealer, and the GoBear installer.
According to experts, attacks on the supply chain, including the use of Trojans and infected installers, are the preferred method of attack for North Korean spy groups. The choice of software that is subject to Trojans is made carefully to maximize the chances of infection of the target systems in South Korea.
Cybersecurity company Symantec identified a new tool of the North Korean group Kimsuki, which is used to attack government and commercial organizations in South Korea.
The new malware is called Gomir and is a Linux version of the well-known Windows-focused GoBear Trojan. The new version has all the main features of its predecessor, including direct communication with the C2 server, saving mechanisms in the system, and support for executing a wide range of commands.
After installation, Gomir checks the value of the group ID to determine if it is running with superuser (root) privileges. The malware then copies itself to the /var/log/syslogd directory to ensure its safety in the system. Next, a systemd service named "syslogd" is created, the service is started, and the original executable file is deleted, ending the initial process.
Gomir also tries to configure the crontab command to be executed on system reboot by creating an auxiliary file "cron.txt" in the current working directory. If updating the crontab list is successful, the auxiliary file is deleted.
The malware supports 17 operations that are performed on commands received via HTTP POST requests from the C2 server. Operations include suspending communication with the C2 server, executing arbitrary shell commands, collecting information about the system (host name, user name, CPU, RAM, network interfaces), creating arbitrary files on the system and exfiltrating them.
Symantec researchers note that the command set for Gomir is almost identical to the commands supported by the Windows version of GoBear. This indicates the use of the same approach in attacks on different operating systems, which confirms the high level of training and organization of the Kimsuki group.
The Symantec report also contains compromise indicators for a variety of malicious tools used in this campaign, including Gomir, Troll Stealer, and the GoBear installer.
According to experts, attacks on the supply chain, including the use of Trojans and infected installers, are the preferred method of attack for North Korean spy groups. The choice of software that is subject to Trojans is made carefully to maximize the chances of infection of the target systems in South Korea.
