Symantec researchers have uncovered a new instrument of the North Korean group Kimsuki, known as the Gomir malware. This malware, identified as the Linux version of the Gobear Trojan that originally targeted Windows systems, is being used in attacks on government and commercial organizations in South Korea.
Gomir, once installed, checks for super-user privileges and then copies itself to the /Var/log/syslogd directory for safety. It also creates a systemd service called “syslogd” and launches it, before deleting the original executable file to complete the initial process.
The malicious program also attempts to configure the CronTab command to run upon system reboot, creating an auxiliary file named “Cron.txt” in the current working directory. If the CronTab list update is successful, the auxiliary file is removed.
Gomir is capable of performing 17 operations, received through HTTP posts from the C2 server, which include suspending communication with the server, executing arbitrary Shell commands, collecting system information, creating and exfiltrating files on the system.
Symantec researchers highlighted the similarity in command sets between Gomir and the Gobear Windows version, indicating a consistent approach in attacks across different operating systems by the Kimsuki group, showcasing their high level of preparation and organization.
In addition to Gomir, Symantec has identified compromise indicators for other malicious tools utilized in this campaign, such as Troll Stealer and the Gobear installer. Experts point out that North Korean spy groups often target supply chain vulnerabilities, using trojans and infected installers to maximize their reach in South Korea.