Insights, news, education and announcements from PolySwarm

Velvet Chollima Using Gomir Linux Backdoor

Written by The Hivemind | May 24, 2024 3:58:05 PM

Related Families: GoBear, Troll Stealer, BetaSeed, Endor
Verticals Targeted: Government 

Executive Summary

North Korea nexus threat actor group Velvet Chollima was observed using a new Linux backdoor, dubbed Gomir, to target entities in South Korea.

Key Takeaways

  • North Korea nexus threat actor group Velvet Chollima was observed using a new Linux backdoor, dubbed Gomir, to target entities in South Korea.
  • In a recent espionage campaign, Velvet Chollima used Trojanized software installation packages to deliver Gomir and Troll Stealer.
  • Gomir appears to be a Linux variant of GoBear backdoor.
  • Troll Stealer is an espionage tool that can steal commonly sought after data and copy the Government Public Key Infrastructure (GPKI) folder used by South Korean government entities.

The Campaign

North Korea nexus threat actor group Velvet Chollima was observed using a new Linux backdoor, dubbed Gomir, to target entities in South Korea. Symantec reported on this activity. In a recent espionage campaign that began as early as February 2024, the threat actors used Trojanized software installation packages for TrustPKI and NX_PRNMAN to deliver the Gomir malware. The campaign also delivered another new malware family, Troll Stealer.

Gomir

According to Symantec, Gomir appears to be a Linux variant of GoBear backdoor, which is written in Go. Gomir appears to be almost identical to GoBear, with the exception of any operating system dependent code. Gomir supports over a dozen commands. Its capabilities include but are not limited to file operations, starting a reverse proxy, pausing C2 communications, running shell commands, and terminating its own process.

Troll Stealer

Troll Stealer, also known as TrollAgent, is an espionage tool capable of stealing files, browser data, and system information, as well as taking screenshots. Troll Stealer can also copy the Government Public Key Infrastructure (GPKI) folder, which is used by South Korean government personnel and organizations. This likely indicates that government entities were among the campaign’s targets. Troll Stealer was also observed being delivered via Trojanized Wizvera VeraPort installation packages. Troll Stealer is similar to the Go-based GoBear and BetaSeed, which is written in C++. 

Who is Velvet Chollima?

Velvet Chollima, also known as Kimsuky, Thallium, APT43, Emerald Sleet, Springtail, and Black Banshee, is a North Korean threat actor group thought to be an offshoot of Lazarus Group. They are associated with North Korea’s Reconnaissance General Bureau (RGB) and are potentially a part of the 5th Bureau. The group has been active since at least 2014 and typically conducts espionage campaigns.

Velvet Chollima’s targets have included government employees, think tanks, academics, and human rights organizations. They have also engaged in cybercrime activity, including stealing cryptocurrency, then using the proceeds from this illicit activity to fund espionage operations. The group uses a combination of social engineering and moderately sophisticated technical capabilities in its attacks.  

IOCs

PolySwarm has multiple samples associated with this activity.

 

7bd723b5e4f7b3c645ac04e763dfc913060eaf6e136eecc4ee0653ad2056f3a0 

8e45daace21f135b54c515dbd5cf6e0bd28ae2515b9d724ad2d01a4bf10f93bd 

47d084e54d15d5d313f09f5b5fcdea0c9273dcddd9a564e154e222343f697822 

 

You can use the following CLI command to search for all samples associated with this activity in our portal:

$ polyswarm link list -f Gomir

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.