North Korean Threat Actor Kimsuky Unleashes New Backdoor on Linux Devices

Security researchers have discovered a new cyber threat targeting Linux devices, dubbed Gomir, which is believed to be a creation of the state-sponsored North Korean group Kimsuky. The backdoor is a modified version of the previously known GoBear backdoor, which has been used to infiltrate Windows systems.

Gomir's capabilities are similar to its predecessor, including direct server communication, multiple persistence methods, and several attack strategies including file exfiltration, remote proxy creation, and system configuration probing. Experts warn that Gomir's functionalities are almost identical to GoBear's tactics on Windows devices.

Cyber Espionage Campaigns of Kimsuky

Kimsuky, also known as Thallium or Velvet Chollima, has been active since 2012, primarily focusing on intelligence-gathering operations. The group is notorious for targeting high-value entities in South Korea, the United States, Japan, and other nations through various cyber espionage tactics.

The group's modus operandi includes spear phishing and social engineering to spread information-stealing malware. Kimsuky has been linked to several significant cyber campaigns, such as the 2013 Operation Kimsuky, COVID-19-related attacks in 2020, and recent assaults on the energy sector in 2021.

To defend against such threats, cybersecurity specialists recommend organizations enhance their phishing prevention training, emphasizing the importance of employees being able to identify and handle phishing attempts effectively.

Protecting Against Cyber Espionage

As the digital landscape evolves, so do the tactics used by state-sponsored groups like Kimsuky. Organizations must remain vigilant and invest in cybersecurity education and robust defense systems, including firewalls and endpoint protection tools, to safeguard against these advanced threats.