Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Gomir (Backdoor) – Malware

July 12, 2024
Reading Time: 3 mins read
in Malware
Gomir (Backdoor) – Malware

Gomir

Type of Malware

Backdoor

Country of Origin

North Korea

Date of initial activity

2024

Targeted Countries

South Korea

Associated Groups

Kimsuky (APT 43)

Motivation

Cyberespionage. Infiltrate networs and deliver payloads. Data theft.

Type of information Stolen

Government Data, Communication Data, Login credentials

Attack Vectors

The malware is distributed via trojanized security programs downloaded from an unspecified South Korean construction-related association's website.

Targeted System

Linux

Overview

The Gomir backdoor is a Linux version of the GoBear backdoor, which was used in a recent Kimsuky campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants.Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir. Gomir supports as many as 17 commands, allowing its operators to perform file operations, start a reverse proxy, pause command-and-control (C2) communications for a specified time duration, run shell commands, and terminate its own process.

Targets

South Korean organizations (Professional, Scientific and Technical Services, Public Administration, Manufacturing, Educational Services).

How they operate

When executed, Gomir checks its command line for the string “install” as its only argument. If found, it attempts to install itself with persistence. To determine how it installs itself, Gomir checks if it has superuser privileges by verifying the effective group ID of its process. If it is running with superuser privileges, Gomir copies itself to a specific system directory and creates a systemd service to ensure it runs automatically. It then enables and starts this service, deletes the original executable, and terminates the original process. If Gomir is not running with superuser privileges, it resorts to creating a cron job to start the malware every time the system reboots. It creates a temporary configuration file listing the existing cron jobs and appends its own entry. It then updates the system’s crontab with this configuration, deletes the temporary file, and restarts itself from the new location. Once installed and running, Gomir periodically communicates with its C2 server using HTTP POST requests. These requests include an infection ID unique to each infected host. The C2 server responds with commands that Gomir decodes and decrypts using a custom encryption algorithm. These commands instruct Gomir on the actions to perform, leveraging its 17 supported commands.
References:
  • Springtail: New Linux Backdoor Added to Toolkit
Tags: BackdoorGoBearGomirGomir backdoorkimsukyLinuxMalwareSouth KoreaTrojan
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial