Gomir (Backdoor) – Malware

Gomir
Type of Malware	Backdoor
Country of Origin	North Korea
Date of initial activity	2024
Targeted Countries	South Korea
Associated Groups	Kimsuky (APT 43)
Motivation	Cyberespionage. Infiltrate networs and deliver payloads. Data theft.
Type of information Stolen	Government Data, Communication Data, Login credentials
Attack Vectors	The malware is distributed via trojanized security programs downloaded from an unspecified South Korean construction-related association's website.
Targeted System	Linux

Overview

The Gomir backdoor is a Linux version of the GoBear backdoor, which was used in a recent Kimsuky campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants.Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir. Gomir supports as many as 17 commands, allowing its operators to perform file operations, start a reverse proxy, pause command-and-control (C2) communications for a specified time duration, run shell commands, and terminate its own process.

Targets

South Korean organizations (Professional, Scientific and Technical Services, Public Administration, Manufacturing, Educational Services).

How they operate

When executed, Gomir checks its command line for the string “install” as its only argument. If found, it attempts to install itself with persistence. To determine how it installs itself, Gomir checks if it has superuser privileges by verifying the effective group ID of its process. If it is running with superuser privileges, Gomir copies itself to a specific system directory and creates a systemd service to ensure it runs automatically. It then enables and starts this service, deletes the original executable, and terminates the original process. If Gomir is not running with superuser privileges, it resorts to creating a cron job to start the malware every time the system reboots. It creates a temporary configuration file listing the existing cron jobs and appends its own entry. It then updates the system’s crontab with this configuration, deletes the temporary file, and restarts itself from the new location. Once installed and running, Gomir periodically communicates with its C2 server using HTTP POST requests. These requests include an infection ID unique to each infected host. The C2 server responds with commands that Gomir decodes and decrypts using a custom encryption algorithm. These commands instruct Gomir on the actions to perform, leveraging its 17 supported commands.