Kimsuky, an infamous North Korean state-sponsored threat actor, has been using a new backdoor to attack victims' Linux devices.
Cybersecurity researchers Symantec, who call the Gomir backdoor, claim that the new threat is basically a fork of the GoBear backdoor.
Similarities between Gomir and GoBear include direct C2 communication, persistence methods, and different capabilities such as pausing communications with C2, executing arbitrary shell commands, changing working directory, polling network endpoints, reporting details of system configuration, starting a reverse proxy for remote connections, creating arbitrary files on the system, extracting system files and more.
North Korean cyberespionage
All of these are “almost identical” to what GoBear does on a Windows machine, Symantec said.
As a state-sponsored group, Kimsuky often targets high-value organizations, both public and private, abroad (mainly South Korea). In many previous cases, Kimsuky was seen engaging in supply chain attacks, compromising legitimate software that is then used by the targeted organizations, which was likely the case here as well.
Kimsuky is also known as thallium or velvet chollima. The group has been active since at least 2012 and, in addition to South Korea, is known for targeting entities in the United States, Japan and other countries. Its main objective is intelligence gathering and cyberespionage rather than financial gain.
The group often engages in phishing and social engineering to deploy information-stealing malware to its victims. Some of the most significant campaigns and incidents include the 2013 Operation Kimsuky (targeting South Korean think tanks and universities), 2020 Covid-19-related attacks (targeting organizations involved in vaccine development), and attacks to the energy sector in 2021.
Since phishing is Kimsuky's number one compromise method, the best way to defend against the group is to educate and train employees on how to spot and respond to phishing emails.