Network Security, Malware, Threat Intelligence

Novel Linux backdoor used in Kimsuky attacks

Closeup of a mobile phone screen with logo lettering of linux on computer keyboard

Security Affairs reports that North Korean state-sponsored cyberespionage operation Kimsuky, also known as APT43, Springtail, Black Banshee, Velvet Chollima, Thallium, and ARCHIPELAGO, has been targeting South Korean entities with the new Gomir Linux backdoor.

Click for more special coverage

Both Gomir and the GoBear Windows backdoor enabled support for nearly similar commands, with the latter also associated with the Troll Stealer malware due to their shared legitimate certificate signature, as well as the BetaSeed malware previously used by Kimsuky, according to a report from Symantec. Such a development indicates the growing focus of Kimsuky and other North Korean threat actors toward the use of software updates and installation packages as initial vectors for compromise.

Kimsuky… "has focused on Trojanized software installers hosted on third-party sites requiring their installation or masquerading as official apps. The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.