Symantec links a North Korea–connected threat actor (RGB/Kimsuky) to spear-phishing campaigns against Korea Hydro and Nuclear Power and Trojanized software installers delivering Troll Stealer and related Go-based backdoors, including a Linux variant named Gomir. The attackers targeted government-related infrastructure and used persistence via systemd services or cron, with C2 communications over HTTP to a remote server. #Kimsuky #RGB #KHNP #Gomir #TrollStealer #GoBear
Keypoints
- North Korea–linked actors (Kimsuky/RGB) conducted spear-phishing campaigns against KHNP and related targets, using exploits to deliver disk-wiping malware.
- Troll Stealer is a Go-based backdoor delivered inside Trojanized software installers (TrustPKI, NX_PRNMAN, Wizvera VeraPort), with code overlap to earlier Springtail families.
- Troll Stealer can exfiltrate files, browser data, screenshots, and system information, including copying the GPKI folder used by South Korea’s government personnel.
- Installers were trojanized for software from third-party pages (e.g., TrustPKI, NX_PRNMAN) and linked to a construction-sector site, indicating targeted distribution.
- GoBear and Gomir are interconnected threats; Gomir in particular is a Linux backdoor mirroring GoBear’s capabilities and using systemd or cron for persistence depending on privileges.
- Gomir communicates with a C2 server over HTTP POST to a specific host, and the infection ID is derived via an MD5-based function, highlighting a structured C2 protocol.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The campaign used spear-phishing emails containing exploits that installed disk-wiping malware on KHNP machines. ‘spear-phishing emails containing exploits that installed disk-wiping malware on their machines.’
- [T1116] Code Signing – The malware was signed with a legitimate certificate issued to “D2innovation Co.,LTD”. ‘signed with a legitimate certificate issued to “D2innovation Co.,LTD”.’
- [T1195] Supply Chain Compromise – Trojanized software installation packages distributed for TrustPKI and NX_PRNMAN (and Wizvera VeraPort), indicating a supply-chain/third-party delivery approach. ‘Trojanized software installation packages… distributed inside installation packages for TrustPKI and NX_PRNMAN.’
- [T1543.003] Create or Modify System Process: Systemd Service – Gomir installs itself as a systemd service by creating /etc/systemd/system/syslogd.service with persistence. ‘create a systemd service with the name “syslogd” by creating the file: /etc/systemd/system/syslogd.service’
- [T1053.003] Cron – If not running as root, Gomir configures a crontab to start on reboot. ‘configure a crontab to start the backdoor on every reboot.’
- [T1071.001] Web Protocols – Gomir periodically communicates with its C2 server via HTTP POST to a remote URL. ‘periodically communicates with its command-and-control (C&C) server by sending HTTP POST requests to: http://216.189.159[.]34/mir/index.php’
- [T1041] Exfiltration Over C2 Channel – Troll Stealer exfiltrates files, browser data, and system information back to the attacker. ‘The Troll Stealer can steal a range of information from infected computers including files, screenshots, browser data, and system information.’
Indicators of Compromise
- [Hash] Troll Stealer – d7f3ecd8939ae8b170b641448ff12ade2163baad05ca6595547f8794b5ad013b, 36ea1b317b46c55ed01dd860131a7f6a216de71958520d7d558711e13693c9dc and other 14 hashes
- [Hash] Linux.Gomir – 30584f13c0a9d0c86562c803de350432d5a0607a06b24481ad4d92cdf7288213
- [Hash] GoBear Dropper – 7bd723b5e4f7b3c645ac04e763dfc913060eaf6e136eecc4ee0653ad2056f3a0
- [IP] 216.189.159.34 – C2 address observed in the campaign
- [URL] http://216.189.159[.]34/mir/index.php – Command-and-control endpoint
- [File] /etc/systemd/system/syslogd.service – Systemd persistence mechanism
- [File] /var/log/syslogd – Persistence-related file path used by Gomir