Today > vulnerabilities   -   You can now download lists of IOCs here!

Springtail: New Linux Backdoor Added to Toolkit

May 16, 2024, 5:33 p.m.

Tags
malware
linux
backdoor
2024-05-16
troll stealer
gobear
southkorea
northkorea
linux.gomir
External References
Description

Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-based GoBear backdoor, also used by Springtail. The campaign involved delivering malware through Trojanized software installation packages, a tactic increasingly favored by North Korean threat actors.

Date

Published: May 16, 2024, 4:46 p.m.

Created: May 16, 2024, 4:46 p.m.

Modified: May 16, 2024, 5:33 p.m.

Indicators

ff945b3565f63cef7bb214a93c623688759ee2805a8c574f00237660b1c4d3fd

ecab00f86a6c3adb5f4d5b16da56e16f8e742adfb82235c505d3976c06c74e20

d7f3ecd8939ae8b170b641448ff12ade2163baad05ca6595547f8794b5ad013b

d05c50067bd88dae4389e96d7e88b589027f75427104fdb46f8608bbcf89edb4

cc7a123d08a3558370a32427c8a5d15a4be98fb1b754349d1e0e48f0f4cb6bfc

a98c017d1b9a18195411d22b44dbe65d5f4a9e181c81ea2168794950dc4cbd3c

8e45daace21f135b54c515dbd5cf6e0bd28ae2515b9d724ad2d01a4bf10f93bd

8a80b6bd452547650b3e61b2cc301d525de139a740aac9b0da2150ffac986be4

8898b6b3e2b7551edcceffbef2557b99bdf4d99533411cc90390eeb278d11ac8

831f27eb18caf672d43a5a80590df130b0d3d9e7d08e333b0f710b95f2cde0e0

6c2a8e2bbe4ebf1fb6967a34211281959484032af1d620cbab390e89f739c339

5068ead78c226893df638a188fbe7222b99618b7889759e0725d85497f533e98

380ec7396cc67cf1134f8e8cda906b67c70aa5c818273b1db758f0757b955d81

47d084e54d15d5d313f09f5b5fcdea0c9273dcddd9a564e154e222343f697822

36ea1b317b46c55ed01dd860131a7f6a216de71958520d7d558711e13693c9dc

30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213

7bd723b5e4f7b3c645ac04e763dfc913060eaf6e136eecc4ee0653ad2056f3a0

bc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d

216.189.159.34

http://216.189.159.34/mir/index.php

Download all indicators here!

Attack Patterns

GoBear

Linux.Gomir

Troll Stealer

Springtail

T1590.004

T1543.003

T1588.002

T1053.005

T1010

T1574.002

T1497.001

T1059.001

T1059.007

T1562.001

T1543.004

T1574.001

T1070

T1057

T1219

T1059

Additional Informations

Government