Springtail: New Linux Backdoor Added to Toolkit

Summary:
Symantec's Threat Hunter Team recently uncovered a new Linux backdoor, Linux.Gomir, developed by the North Korean Springtail espionage group, linked to a recent campaign against South Korean organizations. This group, also known as Kimsuky, has a history of targeting South Korean public sector organizations and was previously identified in attacks dating back to 2014. In their recent campaign, Springtail employed Trojanized software installation packages to deliver malware, including a new family named Troll Stealer, capable of extracting sensitive information from infected systems. Troll Stealer was distributed within installation packages for TrustPKI and NX_PRNMAN software developed by SGA Solutions. Additionally, Symantec found Troll Stealer distributed in Trojanized packages for Wizvera VeraPort, previously compromised in a North Korea-linked supply chain attack in 2020.

According to Symantec, the Troll Stealer malware bears striking resemblances to another Springtail threat known as GoBear, suggesting a shared origin. Following thorough investigation, Symantec uncovered a Linux variant of this malware lineage, named Linux.Gomir, which closely mirrors GoBear's structure. Gomir demonstrates persistence methods such as self-installation as a systemd service or configuration of a crontab for system reboot execution. It establishes communication with its command-and-control server through HTTP requests and facilitates various commands for manipulating systems and exfiltrating data.

Security Officer Comments:
The cyberattack is a manifestation of the ongoing tensions and competition between North and South Korea. In this specific instance, the cyberattack likely targeted South Korean organizations as part of North Korea's broader strategy to gather intelligence, destabilize its southern neighbor, or achieve other geopolitical objectives. The use of Trojanized software installers and supply chain attacks reflects North Korea's evolving tactics in cyber warfare, exploiting vulnerabilities in software supply chains to infiltrate and compromise targeted systems.

The conflict between North and South Korea dates back to the Korean War in 1953, leaving the peninsula divided between a communist North and a democratic South. Tensions persist due to ideological differences, occasional violence, and unresolved issues like nuclear proliferation. Cyberattacks, such as the recent one, are part of North Korea's strategy, targeting South Korean entities for espionage, disruption, and information theft, reflecting the ongoing hostility and competition between the two nations.

Suggested Corrections:
While achieving lasting peace and reconciliation between North and South Korea may require time, patience, and perseverance, concerted efforts by all parties involved can contribute to building a more stable, secure, and prosperous future for the Korean people and the region as a whole.

Link(s):
https://symantec-enterprise-blogs.s...ligence/springtail-kimsuky-backdoor-espionage
https://www.prcprague.cz/fcdataset/northkorea-southkorea

View this resource