Linux.Gomir is a GoBear backdoor variant analyzed by Splunk that targets Linux systems, leveraging a supply-chain–based intrusion and multiple persistence and C2 techniques. The campaign linked to Kimsuky targeted TrustPKI and NX_PRNMAN, with GoBear payloads and Linux.Gomir later described by Symantec, and Splunk providing TTPs, detections, and atomic tests to defend against it. #Kimsuky #GoBear #LinuxGomir #TrustPKI #NX_PRNMAN
Keypoints
- The Kimsuky group conducted a supply chain campaign in February 2024 exploiting TrustPKI and NX_PRNMAN to deliver the GoBear backdoor.
- In May 2024, Symantec revealed a Linux variant of GoBear named Linux.Gomir, and Splunk analyzes its TTPs and detection content.
- Linux.Gomir generates a beacon infection ID from the host’s username and hostname and communicates this to its C2 over HTTP POST.
- A Cron-based persistence mechanism is used via an Install parameter that triggers full malicious functionality and crontab manipulation.
- The malware installs itself as a system service (syslogd) by copying to /var/log/syslogd and creating /etc/systemd/system/syslogd.service, enabling persistent execution.
- Backdoor operations include various commands and information gathering, with C2 communications that decrypt commands and encrypt results.
<liSplunk provides several Linux-specific detections (e.g., adding crontab using list parameter, service restarted/started, and systemd service file creation) to help defenders.
MITRE Techniques
- [T1132.002] Non-Standard Encoding – The beacon ID is created by taking the first 10 characters of the MD5 hash derived from the username and hostname of the infected host. – The HTTP POST beacon includes the infection ID to identify the compromised host. ‘The beacon ID is created by taking the first 10 characters of the MD5 hash derived from the username and hostname of the infected host.’
- [T1053.003] Cron – Linux.Gomir sets up a crontab entry as part of its persistence mechanism, including creating cron.txt and updating crontab. ‘Figure 04 illustrates the code snippet demonstrating how Linux.Gomir sets up a crontab entry…’
- [T1543.003] Create or Modify System Process – Install Services – The malware installs itself as a system service by copying to /var/log/syslogd and creating /etc/systemd/system/syslogd.service to persist and run on reboot. ‘To maintain persistence and ensure execution with elevated privileges upon reboot, Linux.Gomir installs itself as a system service.’
- [T1071.001] Web Protocols – The C2 communication uses HTTP POST to send commands and receive results. ‘Figure 02 illustrates a simple HTTP POST network traffic instance of this backdoor malware as it communicates with its C2 server.’
- [T1082] System Information Discovery – The backdoor retrieves system information such as hostname, username, CPU details, memory statistics, and network information. ‘Retrieve system information such as hostname, username, CPU details, memory statistics, and network information.’
- [T1059.004] Unix Shell – The malware executes shell commands and other script-based operations as part of its backdoor capabilities. ‘Execute shell commands’ and related backdoor operations.
Indicators of Compromise
- [Hash] Gomir – 30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213
- [File] Paths and filenames – /var/log/syslogd, /etc/systemd/system/syslogd.service, cron.txt