Kimsuky, linked to North Korea's military intelligence, the Reconnaissance General Bureau, has a history of sophisticated cyber attacks aimed primarily at South Korean entities.
In early February 2024, researchers at SW2, a threat intelligence company, reported a campaign by Kimsuky involving trojanized versions of various software solutions.
The primary targets were South Korean entities, and the malicious software delivered the Troll Stealer and Go-based Windows malware known as GoBear.
Upon installation, Gomir checks the group ID value to determine if it runs with root privileges on the Linux machine.
It then copies itself to /var/log/syslogd for persistence, creates a systemd service named 'syslogd,' and issues commands to start the service.
To ensure it runs on system reboot, the backdoor attempts to configure a crontab command by creating a helper file in the current working directory.
Gomir supports 17 operations triggered by commands received from the C2 via HTTP POST requests.
These operations include pausing communication with the C2 server, executing arbitrary shell commands, reporting the current working directory, probing network endpoints, and more.
Notably, these commands are almost identical to those supported by the GoBear Windows backdoor, highlighting the malware's versatility and Kimsuky's ability to adapt its tools across different operating systems.
Symantec researchers have pointed out that supply-chain attacks, such as trojanized software installers and fake installers, are a preferred attack method for North Korean espionage actors.
The choice of software for trojanization seems to be carefully selected to maximize infection rates among South Korean targets.
By compromising widely used software solutions, Kimsuky increases its chances of infiltrating targeted systems and exfiltrating valuable data.
The implications of Kimsuky's activities are significant.
By enhancing their malware capabilities and expanding their target range to include Linux systems, Kimsuky poses a heightened threat to organizations, particularly those in South Korea.
The use of advanced malware like Gomir demonstrates the group's continuous evolution and sophistication in cyber espionage.
Symantec's report on this campaign includes a set of indicators of compromise for multiple malicious tools observed, including Gomir, Troll Stealer, and the GoBear dropper.
These IOCs are crucial for cybersecurity professionals to detect and mitigate the impact of these threats.
This includes regularly updating software, conducting thorough security assessments, and implementing comprehensive threat detection and response mechanisms.
The emergence of Gomir and similar threats underscores the importance of international cooperation in combating cybercrime.
By sharing intelligence and collaborating on cybersecurity initiatives, nations can better protect their critical infrastructure and sensitive data from sophisticated threat actors like Kimsuky.
This Cyber News was published on www.cysecurity.news. Publication date: Sun, 19 May 2024 15:43:07 +0000