North Korean hacker group Kimsuky has unveiled a new Linux malware named “Gomir,” a variant of the GoBear backdoor. This development marks a significant advancement in the group’s cyber espionage tactics. Kimsuky, linked to North Korea’s military intelligence, the Reconnaissance General Bureau (RGB), has a history of sophisticated cyber attacks aimed primarily at South Korean entities.
In early February 2024, researchers at SW2, a threat intelligence company, reported a campaign by Kimsuky involving trojanized versions of various software solutions. These included TrustPKI and NX_PRNMAN from SGA Solutions and Wizvera VeraPort. The primary targets were South Korean entities, and the malicious software delivered the Troll Stealer and Go-based Windows malware known as GoBear.
Further investigation by Symantec, a Broadcom company, revealed that the same campaign also deployed a Linux variant of the GoBear backdoor, dubbed “Gomir.” This new malware shares many similarities with its Windows counterpart, featuring direct command and control (C2) communication, persistence mechanisms, and support for executing a wide range of commands.
Upon installation, Gomir checks the group ID value to determine if it runs with root privileges on the Linux machine.
It then copies itself to /var/log/syslogd for persistence, creates a systemd service named ‘syslogd,’ and issues commands to start the service. Follo
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: