ATT&CK v17 has been released! Check out the blog post for more information.

Gomir

Gomir is a Linux backdoor variant of the Go-based malware GoBear, uniquely assoicated with Kimsuky operations.^[1]

ID: S1198

ⓘ

Type: MALWARE

ⓘ

Platforms: Linux

Version: 1.0

Created: 17 January 2025

Last Modified: 17 January 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Gomir periodically communicates to its command and control infrastructure through HTTP POST requests.^[1]
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	Gomir reads command line arguments and parses them for functionality when executed from a Linux shell, and can execute arbitrary strings passed to it as shell commands.^[1]
Enterprise	T1543	.002	Create or Modify System Process: Systemd Service	Gomir creates a systemd service named `syslogd` for persistence.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	Gomir uses Base64-encoded content in HTTP communications to command and control infrastructure.^[1]
Enterprise	T1573		Encrypted Channel	Gomir uses a custom encryption algorithm for content sent to command and control infrastructure.^[1]
		.002	Asymmetric Cryptography	Gomir uses reverse proxy functionality that employs SSL to encrypt communications.^[1]
Enterprise	T1083		File and Directory Discovery	Gomir collects information about directory and file structures, including total number of subdirectories, total number of files, and total size of files on infected systems.^[1]
Enterprise	T1070	.004	Indicator Removal: File Deletion	Gomir deletes its original executable and terminates its original process after creating a systemd service.^[1]
Enterprise	T1069	.001	Permission Groups Discovery: Local Groups	Gomir checks the effective group ID of its process when initially executed to determine if it is in group 0, denoting superuser privileges in Linux environments.^[1]
Enterprise	T1090	.001	Proxy: Internal Proxy	Gomir can start a reverse proxy to initiate connections to arbitrary endpoints in victim networks.^[1]
Enterprise	T1018		Remote System Discovery	Gomir probes arbitrary network endpoints for TCP connectivity.^[1]
Enterprise	T1053	.003	Scheduled Task/Job: Cron	Gomir will configure a crontab for process execution to start the backdoor on reboot if it is not initially running under group 0 privileges.^[1]
Enterprise	T1082		System Information Discovery	Gomir collects information on infected systems such as hostname, username, CPU, and RAM information.^[1]
Enterprise	T1016		System Network Configuration Discovery	Gomir collects network information on infected systems such as listing interface names, MAC and IP addresses, and IPv6 addresses.^[1]

Groups That Use This Software

ID	Name	References
G0094	Kimsuky	Gomir is uniquely associated with Kimsuky operations.^[1]

References

Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.