May 16, 2024 at 09:35AM
North Korean hacker group Kimsuki, linked to military intelligence, used trojanized software packages to deliver Linux malware Gomir in cyberespionage campaigns against South Korean targets. The malware, a variant of GoBear, exhibits persistent behaviors on Linux machines and supports 17 operations through HTTP POST requests. It’s part of a supply-chain attack method for North Korean espionage.
Key Takeaways from the Meeting Notes:
1. North Korean hacker group Kimsuki has been using trojanized software packages to deploy a new Linux malware called Gomir in cyberespionage campaigns against South Korean targets.
2. Kimsuky is a state-sponsored threat actor associated with North Korea’s military intelligence, the Reconnaissance General Bureau (RGB).
3. Research by SW2 threat intelligence company and Symantec, a Broadcom company, revealed instances of trojanized software such as TrustPKI, NX_PRNMAN from SGA Solutions, Wizvera VeraPort being employed by Kimsuky in their campaigns.
4. Gomir, a new Linux variant of the GoBear backdoor, was discovered. It shares many similarities with GoBear in terms of functionality.
5. Gomir malware exhibits multiple features including persistence mechanisms, direct command and control (C2) communication, and support for executing a range of commands.
6. Gomir supports 17 operations triggered by corresponding commands received via HTTP POST requests from the command and control (C&C) server.
7. According to Symantec researchers, North Korean espionage actors are favoring supply-chain attacks as their preferred method, and the trojanized software choices indicate careful planning to maximize the chances of infecting South Korean-based targets.
8. Symantec’s report contains indicators of compromise for various malicious tools observed in the campaign, including Gomir, Troll Stealer, and the GoBear dropper.