Springtail: New Linux Backdoor Added to Toolkit
Contents
Springtail: New Linux Backdoor Added to Toolkit
More than one legitimate software package was modified to deliver malware in North Korean group’s recent campaign against South Korean organizations.
Symantec’s Threat Hunter Team has uncovered a new Linux backdoor developed by the North Korean Springtail espionage group (aka Kimsuky) that is linked to malware used in a recent campaign against organizations in South Korea.
The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants.
Background
Springtail is a tight-knit espionage group that initially specialized in attacks on public sector organizations in South Korea. The group first came to public attention in 2014, when the South Korean government said it was responsible for an attack on Korea Hydro and Nuclear …
More than one legitimate software package was modified to deliver malware in North Korean group’s recent campaign against South Korean organizations.
Symantec’s Threat Hunter Team has uncovered a new Linux backdoor developed by the North Korean Springtail espionage group (aka Kimsuky) that is linked to malware used in a recent campaign against organizations in South Korea.
The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants.
Background
Springtail is a tight-knit espionage group that initially specialized in attacks on public sector organizations in South Korea. The group first came to public attention in 2014, when the South Korean government said it was responsible for an attack on Korea Hydro and Nuclear …
IoC
216.189.159.34
30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213
36ea1b317b46c55ed01dd860131a7f6a216de71958520d7d558711e13693c9dc
380ec7396cc67cf1134f8e8cda906b67c70aa5c818273b1db758f0757b955d81
47d084e54d15d5d313f09f5b5fcdea0c9273dcddd9a564e154e222343f697822
5068ead78c226893df638a188fbe7222b99618b7889759e0725d85497f533e98
6c2a8e2bbe4ebf1fb6967a34211281959484032af1d620cbab390e89f739c339
7bd723b5e4f7b3c645ac04e763dfc913060eaf6e136eecc4ee0653ad2056f3a0
831f27eb18caf672d43a5a80590df130b0d3d9e7d08e333b0f710b95f2cde0e0
8898b6b3e2b7551edcceffbef2557b99bdf4d99533411cc90390eeb278d11ac8
8a80b6bd452547650b3e61b2cc301d525de139a740aac9b0da2150ffac986be4
8e45daace21f135b54c515dbd5cf6e0bd28ae2515b9d724ad2d01a4bf10f93bd
a98c017d1b9a18195411d22b44dbe65d5f4a9e181c81ea2168794950dc4cbd3c
bc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d
cc7a123d08a3558370a32427c8a5d15a4be98fb1b754349d1e0e48f0f4cb6bfc
d05c50067bd88dae4389e96d7e88b589027f75427104fdb46f8608bbcf89edb4
d7f3ecd8939ae8b170b641448ff12ade2163baad05ca6595547f8794b5ad013b
ecab00f86a6c3adb5f4d5b16da56e16f8e742adfb82235c505d3976c06c74e20
ff945b3565f63cef7bb214a93c623688759ee2805a8c574f00237660b1c4d3fd
http://216.189.159.34
http://216.189.159.34/mir/index.php
https://github.com/kost/revsocks.git
30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213
36ea1b317b46c55ed01dd860131a7f6a216de71958520d7d558711e13693c9dc
380ec7396cc67cf1134f8e8cda906b67c70aa5c818273b1db758f0757b955d81
47d084e54d15d5d313f09f5b5fcdea0c9273dcddd9a564e154e222343f697822
5068ead78c226893df638a188fbe7222b99618b7889759e0725d85497f533e98
6c2a8e2bbe4ebf1fb6967a34211281959484032af1d620cbab390e89f739c339
7bd723b5e4f7b3c645ac04e763dfc913060eaf6e136eecc4ee0653ad2056f3a0
831f27eb18caf672d43a5a80590df130b0d3d9e7d08e333b0f710b95f2cde0e0
8898b6b3e2b7551edcceffbef2557b99bdf4d99533411cc90390eeb278d11ac8
8a80b6bd452547650b3e61b2cc301d525de139a740aac9b0da2150ffac986be4
8e45daace21f135b54c515dbd5cf6e0bd28ae2515b9d724ad2d01a4bf10f93bd
a98c017d1b9a18195411d22b44dbe65d5f4a9e181c81ea2168794950dc4cbd3c
bc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d
cc7a123d08a3558370a32427c8a5d15a4be98fb1b754349d1e0e48f0f4cb6bfc
d05c50067bd88dae4389e96d7e88b589027f75427104fdb46f8608bbcf89edb4
d7f3ecd8939ae8b170b641448ff12ade2163baad05ca6595547f8794b5ad013b
ecab00f86a6c3adb5f4d5b16da56e16f8e742adfb82235c505d3976c06c74e20
ff945b3565f63cef7bb214a93c623688759ee2805a8c574f00237660b1c4d3fd
http://216.189.159.34
http://216.189.159.34/mir/index.php
https://github.com/kost/revsocks.git