May 17, 2024 at 05:33AM
The Kimsuky APT group, associated with North Korea’s Reconnaissance General Bureau, has been observed deploying the Gomir backdoor on Linux to target South Korean organizations. The malware shares extensive code with GoBear and is distributed through trojanized security programs. The campaign highlights the preference for software installation packages as infiltration vectors for North Korean espionage.
From the meeting notes dated May 17, 2024, it is evident that the Kimsuky advanced persistent threat (APT) group, associated with North Korea’s Reconnaissance General Bureau, has been observed deploying a Linux version of its GoBear backdoor as part of a campaign targeting South Korean organizations. The backdoor, called Gomir, shares extensive code similarity with GoBear and is being distributed via trojanized security programs downloaded from a South Korean construction-related association’s website.
The malware, which supports capabilities to execute remote commands and is said to be propagated through droppers masquerading as fake installers, is also observed to be delivered via rogue installers. This latest Springtail campaign indicates a shift towards using software installation packages and updates as favored infection vectors for North Korean espionage actors.
The meeting notes provide a detailed account of the malware’s capabilities and distribution mechanisms, shedding light on the evolving tactics employed by the Kimsuky APT group in targeting South Korean organizations.