Cybersecurity experts at Symantec have made a concerning discovery in the realm of Linux security. A new Linux backdoor, known as Linux.Gomir, has been identified as actively targeting Linux users through installation packages. This backdoor, developed by the sophisticated Springtail hacking group from North Korea, has been linked to recent malware attacks on South Korean targets.
The Springtail group, believed to be a part of North Korea’s military intelligence, has a history of engaging in cyber espionage activities. One notable attack was the 2014 disk wiper attack on Korea Hydro and Nuclear Power. Recently, they have been utilizing various tactics for social engineering, such as impersonating experts on North Korean issues to spread their malicious activities.
The latest campaign launched by Springtail involved the distribution of a new malware called Troll Stealer. This malware, which is based on Go and shares code similarities with previous Springtail creations like GoBear and BetaSeed backdoors, was disseminated through Trojanized software installers. These installers included well-known programs like TrustPKI and NX_PRNMAN from SGA Solutions, as well as Wizvera VeraPort, which had previously been compromised in 2020.
The primary targets of this campaign were government agencies, with a focus on stealing GPKI data by exploiting legitimate websites that required login credentials. Additionally, the group spread the GoBear malware by disguising it as an installer for a Korean transport organization app, complete with a stolen certificate.
Symantec’s analysis of Linux.Gomir revealed striking similarities to the Windows backdoor GoBear used by Springtail, indicating the group’s proficiency in cross-platform targeting. When executed with the “install” argument, Gomir checks its privileges and establishes communication with a Command and Control (C&C) server, receiving encoded commands in return.
The use of custom encryption by Gomir for decoding commands reflects the group’s sophistication in their operations. This campaign sheds light on North Korean hacker groups’ preference for software supply chain vectors like Trojanized installers and compromised update channels, demonstrating a targeted and calculated approach to cyber espionage.
In conclusion, the emergence of the Linux.Gomir backdoor has raised alarms in the cybersecurity community. With the Springtail group’s track record of sophisticated attacks, it is critical for organizations to remain vigilant and proactive in defending against such threats. As cyber threats continue to evolve, it is imperative for security professionals to stay abreast of the latest developments and adopt robust security measures to safeguard their systems and data.