Gomir | |
Type of Malware | Backdoor |
Country of Origin | North Korea |
Date of initial activity | 2024 |
Targeted Countries | South Korea |
Associated Groups | Kimsuky (APT 43) |
Motivation | Cyberespionage. Infiltrate networs and deliver payloads. Data theft. |
Type of information Stolen | Government Data, Communication Data, Login credentials |
Attack Vectors | The malware is distributed via trojanized security programs downloaded from an unspecified South Korean construction-related association's website. |
Targeted System | Linux |
Overview
The Gomir backdoor is a Linux version of the GoBear backdoor, which was used in a recent Kimsuky campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants.Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir. Gomir supports as many as 17 commands, allowing its operators to perform file operations, start a reverse proxy, pause command-and-control (C2) communications for a specified time duration, run shell commands, and terminate its own process.Targets
South Korean organizations (Professional, Scientific and Technical Services, Public Administration, Manufacturing, Educational Services).