Kimsuky Hackers New Linux Backdoor Malware in South Korea Attacks, here is a quick look

Russian Hackers

Kimsuky Hackers New Linux Backdoor Malware in South Korea Attacks, here is a quick look

In the ever-evolving world of cyber threats, a new menace has emerged. The North Korean hacker group, known as Kimsuky, has been deploying a new Linux malware, dubbed Gomir. This backdoor is a variant of the GoBear backdoor, delivered via trojanized software installers.

what-is-spyware-1200x630-1-1024x538 Kimsuky Hackers New Linux Backdoor Malware in South Korea Attacks, here is a quick look

The Threat Actors

Kimsuky is a state-sponsored threat actor, linked to North Korea’s military intelligence, the Reconnaissance General Bureau (RGB). This group has been active for over a decade and is primarily associated with attacks on South Korean government and private sector organizations.

The Malware

Gomir shares many similarities with GoBear. It features direct command and control (C2) communication, persistence mechanisms, and support for executing a wide range of commands. Upon installation, the malware checks the group ID value to determine if it runs with root privileges on the Linux machine. It then copies itself to /var/log/syslogd for persistence.

The Attack Method

The hackers have been using trojanized versions of various software solutions to infect South Korean targets. These include TrustPKI and NX_PRNMAN from SGA Solutions, and Wizvera VeraPort. The malware is delivered via these compromised software packages.

The Impact

The deployment of Gomir marks a significant development in the cyber-espionage landscape. It underscores the increasing sophistication of state-sponsored cyber threats and the need for robust cybersecurity measures. The discovery of this backdoor serves as a stark reminder of the persistent threats that organizations face in today’s digital age.

The Targets

The primary targets of Kimsuky’s attacks are South Korean government and private sector organizations. However, the group has also been known to target other countries in the past. The deployment of Gomir suggests that the group is expanding its operations and capabilities.

The Evolution of Tactics

The use of Gomir represents an evolution in Kimsuky’s tactics. The group is known for its innovative approaches to cyber espionage, and the deployment of this new backdoor is a testament to their adaptability and resourcefulness.

The Response

The discovery of Gomir has prompted a response from cybersecurity firms and government agencies. Efforts are being made to detect and neutralize the threat posed by this new backdoor. This includes the development of new detection signatures and the sharing of threat intelligence.

In conclusion, the emergence of the Gomir backdoor highlights the evolving tactics of cyber threat actors. As these threats continue to evolve, so too must our defenses. It is crucial for organizations to stay vigilant, invest in robust cybersecurity measures, and foster a culture of security awareness.


You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment