Back

Springtail: New Linux Backdoor Added to Toolkit

May 16, 2024, 5:33 p.m.

Tags

malware
linux
backdoor
2024-05-16
troll stealer
gobear
southkorea
northkorea
linux.gomir

External References

https://symantec-enterprise-blogs.security.com/

https://otx.alienvault.com/

Description

Symantec's Threat Hunter Team has uncovered a new Linux backdoor, named Gomir, developed by the North Korean Springtail espionage group, which is linked to malware employed in a recent campaign targeting organizations in South Korea. The backdoor shares extensive code similarities with the Windows-based GoBear backdoor, also used by Springtail. The campaign involved delivering malware through Trojanized software installation packages, a tactic increasingly favored by North Korean threat actors.

Date

Published Created Modified
May 16, 2024, 4:46 p.m. May 16, 2024, 4:46 p.m. May 16, 2024, 5:33 p.m.

Indicators

ff945b3565f63cef7bb214a93c623688759ee2805a8c574f00237660b1c4d3fd

ecab00f86a6c3adb5f4d5b16da56e16f8e742adfb82235c505d3976c06c74e20

d7f3ecd8939ae8b170b641448ff12ade2163baad05ca6595547f8794b5ad013b

d05c50067bd88dae4389e96d7e88b589027f75427104fdb46f8608bbcf89edb4

cc7a123d08a3558370a32427c8a5d15a4be98fb1b754349d1e0e48f0f4cb6bfc

a98c017d1b9a18195411d22b44dbe65d5f4a9e181c81ea2168794950dc4cbd3c

8e45daace21f135b54c515dbd5cf6e0bd28ae2515b9d724ad2d01a4bf10f93bd

8a80b6bd452547650b3e61b2cc301d525de139a740aac9b0da2150ffac986be4

8898b6b3e2b7551edcceffbef2557b99bdf4d99533411cc90390eeb278d11ac8

831f27eb18caf672d43a5a80590df130b0d3d9e7d08e333b0f710b95f2cde0e0

6c2a8e2bbe4ebf1fb6967a34211281959484032af1d620cbab390e89f739c339

5068ead78c226893df638a188fbe7222b99618b7889759e0725d85497f533e98

380ec7396cc67cf1134f8e8cda906b67c70aa5c818273b1db758f0757b955d81

47d084e54d15d5d313f09f5b5fcdea0c9273dcddd9a564e154e222343f697822

36ea1b317b46c55ed01dd860131a7f6a216de71958520d7d558711e13693c9dc

30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213

7bd723b5e4f7b3c645ac04e763dfc913060eaf6e136eecc4ee0653ad2056f3a0

bc4c1c869a03045e0b594a258ec3801369b0dcabac193e90f0a684900e9a582d

216.189.159.34

http://216.189.159.34/mir/index.php

Attack Patterns

GoBear

Linux.Gomir

Troll Stealer

Springtail

T1590.004

T1543.003

T1588.002

T1053.005

T1010

T1574.002

T1497.001

T1059.001

T1059.007

T1562.001

T1543.004

T1574.001

T1070

T1057

T1219

T1059

Additional Informations

Government