Kimsuky Targets South Korea with New Linux Malware: Gomir

The cybersecurity firm Symantec has identified a new tool employed by the North Korean group Kimsuki, targeting governmental and commercial organizations in South Korea.

This new malware, named Gomir, is the Linux version of the well-known Windows Trojan GoBear. The new version retains all the primary functions of its predecessor, including direct communication with a C2 server, persistence mechanisms, and support for executing a wide range of commands.

Lazarus Group

Upon installation, Gomir checks the group ID value to determine if it is operating with root privileges. It then copies itself to the /var/log/syslogd directory to ensure persistence. Next, it creates a systemd service named “syslogd,” starts the service, and deletes the original executable file, thus completing the initial setup process.

Gomir also attempts to configure a crontab command to execute upon system reboot, creating an auxiliary file “cron.txt” in the current working directory. If the crontab update is successful, the auxiliary file is deleted.

The malware supports 17 operations executed through commands received via HTTP POST requests from the C2 server. These operations include suspending communication with the C2 server, executing arbitrary shell commands, collecting system information (such as hostname, username, CPU, RAM, network interfaces), creating arbitrary files on the system, and exfiltrating them.

Symantec researchers note that the command set for Gomir is almost identical to that of the Windows version of GoBear. This indicates a consistent approach in attacks across different operating systems, highlighting the high level of preparation and organization within the Kimsuki group.

The Symantec report also includes indicators of compromise for several malicious tools used in this campaign, including Gomir, Troll Stealer, and the GoBear installer.

According to experts, supply chain attacks involving the use of Trojans and infected installers are a preferred method for North Korean espionage groups. The selection of software to be trojanized is meticulously done to maximize the chances of compromising target systems in South Korea.