32.Lock Code Circular Esm W900

The Kimsuky APT group, reportedly linked to North Korea's Reconnaissance General Bureau (RGB), has been identified deploying a Linux version of its GoBear backdoor called Gomir. The Gomir backdoor is structurally similar to GoBear, leading to concerns within the cybersecurity community. The overlapping code between malware variants raises questions regarding the extent of the threat and the potential implications for targeted organizations. Let's explore the significance of this discovery and its implications for the Linux community so you are better prepared to protect against Gomir and other Linux malware variants.

How Does Gomir Work & What Are Its Implications for Linux Admins?

MalwarebusinessIn technical terms, Gomir, the Linux backdoor, supports several commands, enabling its operators to carry out file operations, initiate a reverse proxy, pause command-and-control communications, execute shell commands, and terminate its own process. The existence of these capabilities demands robust security protocols within Linux systems, including monitoring and controlling command executions to prevent the misuse of these privileges by threat actors.

Security researchers initially documented GoBear in connection with a campaign involving malware known as Troll Stealer, suggesting that these activities are part of a larger, coordinated effort by the Kimsuky APT group to infiltrate organizations in South Korea. Moreover, the distribution of the malware through trojanized security programs downloaded from a South Korean construction-related association's website is noteworthy. This points to the pressing need for organizations to meticulously assess the integrity of the software they download and use. Using rogue installers for Wizvera VeraPort to deliver Troll Stealer further emphasizes the need for improved supply chain security measures to prevent the spread of malicious software. This includes modernizing processes, reviewing and updating permissions throughout the supply chain, and verifying code before deploying it.

The broader implication of this report is the emerging pattern of software installation packages and updates being exploited as favored infection vectors for espionage activities. Recognizing this trend is essential for security practitioners and underscores the urgency of ensuring the authenticity and security of software updates and installation packages.

Our Final Thoughts on Gomir

The emergence of Gomir and the tactics employed by the Kimsuky APT group in targeting South Korean organizations demonstrate the need for enhanced vigilance and proactive security measures. Linux admins should take note of these developments and evaluate their security postures to mitigate the risk such advanced persistent threat groups pose to their systems.