Security Affairs reports that North Korean state-sponsored cyberespionage operation Kimsuky, also known as APT43, Springtail, Black Banshee, Velvet Chollima, Thallium, and ARCHIPELAGO, has been targeting South Korean entities with the new Gomir Linux backdoor.
Click for more special coverage
Both Gomir and the GoBear Windows backdoor enabled support for nearly similar commands, with the latter also associated with the Troll Stealer malware due to their shared legitimate certificate signature, as well as the BetaSeed malware previously used by Kimsuky, according to a report from Symantec. Such a development indicates the growing focus of Kimsuky and other North Korean threat actors toward the use of software updates and installation packages as initial vectors for compromise.
Kimsuky… "has focused on Trojanized software installers hosted on third-party sites requiring their installation or masquerading as official apps. The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets," said researchers.