Analytics Story: Gomir
Description
This analytic story includes detections that help security analysts identify and investigate unusual activities associated with the Gomir backdoor malware. Gomir is a sophisticated cyber threat that gains unauthorized access to systems. It communicates with a remote command-and-control (C2) server to execute malicious commands, steal sensitive data, and facilitate further attacks, often evading traditional security measures.
Why it matters
The Gomir backdoor malware is a piece of cyber threat designed to infiltrate and compromise systems covertly. Once it gains unauthorized access, Gomir establishes a persistent presence by communicating with a remote command-and-control (C2) server. This connection allows the attacker to execute a wide range of malicious commands on the infected system. Gomir is capable of stealing sensitive data, which can be exfiltrated back to the attacker. Additionally, Gomir can download and install further malicious payloads, facilitating broader cyber-espionage or destructive activities.
Detections
| Name | Technique | Type |
|---|---|---|
| Linux Service File Created In Systemd Directory | Systemd Timers | Anomaly |
| Linux Service Started Or Enabled | Systemd Timers | Anomaly |
| Linux Service Restarted | Systemd Timers | Anomaly |
| Linux Auditd Service Restarted | Systemd Timers | Anomaly |
| Linux Adding Crontab Using List Parameter | Cron | Hunting |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon for Linux EventID 11 |  Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
| Sysmon for Linux EventID 1 | Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
| Linux Auditd Proctitle | Linux |
auditd |
auditd |
References
- https://www.bleepingcomputer.com/news/security/kimsuky-hackers-deploy-new-linux-backdoor-via-trojanized-installers/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage
Source: GitHub | Version: 2