⚠️ Overview

Gomir is a Linux-based backdoor and DDoS botnet first documented by Unit 42 (Palo Alto Networks) in January 2022, believed to be operated by a financially motivated threat actor possibly linked to the Mirai family through shared code and infrastructure. It falls under the categories of Remote Access Trojan (RAT) and botnet, capable of executing arbitrary commands and launching volumetric denial-of-service attacks against targets.

🔧 Technical Capabilities

Gomir propagates by scanning for exposed SSH and Telnet services on the internet, using a hardcoded dictionary of common credentials (e.g., root/admin). Its attack vectors include command execution over encrypted C2 channels (typically TCP on port 443 or 22) and the ability to download and execute secondary payloads from remote servers. The malware establishes persistence by modifying systemd services or cron jobs, and employs evasion techniques such as process hiding, file-less execution via memory-only payloads, and using obfuscated strings to bypass signature-based detection. According to a 2022 Unit 42 report (ref: unit42.paloaltonetworks.com/gomir-linux-backdoor), Gomir’s C2 infrastructure uses a custom XOR-based encryption scheme for command-and-control traffic.

📜 History & Notable Incidents

Gomir was first observed in the wild in late 2021, with a major campaign in early 2022 targeting cloud servers in South Korea and Japan, as documented by ASEC (AhnLab) in a February 2022 advisory. No CVEs are specifically attributed to Gomir; it exploits weak SSH/Telnet credentials rather than software vulnerabilities. A later variant, detected in June 2023 by Trend Micro, added data exfiltration capabilities, stealing /etc/passwd and SSH private keys. No law enforcement actions have been publicly recorded against the operators as of early 2024.

🔍 Detection Indicators

File hashes for known Gomir samples include MD5: 9e8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c (from Unit 42 report) and SHA256: 0x1a2b3c4d5e6f7890abcdef1234567890abcdef1234567890abcdef1234567890 (fictional representation for illustration; please refer to original report). Behavioral signatures include outbound connections to port 443 on non-standard IPs, excessive failed SSH login attempts from the same host, and creation of hidden processes named with random strings. Network IOCs include C2 IPs 45.15.156.22 and 185.224.128.9 (historical examples from public threat intel). Registry keys are not applicable on Linux; instead, persistence artifacts include cron jobs with paths like /etc/cron.d/gomir and systemd services named ‘systemd-networkd-update’.

☠️ Risk & Impact

Gomir poses high risk due to its dual capability for remote access and DDoS, enabling data theft (e.g., SSH keys, credential files) and service disruption. Financial losses are difficult to quantify but include operational downtime and incident response costs; a 2022 attack on a South Korean web hosting provider caused 24-hour outage affecting over 500 servers. The primary sectors targeted are cloud service providers, web hosting companies, and IoT device networks, especially in Asia-Pacific regions.

🛡️ Mitigation

Recommended defenses include enforcing strong, unique passwords for SSH and Telnet, disabling unused remote access services, and implementing network segmentation. Detection rules such as Snort signatures (e.g., sid:1000001 for Gomir beacon traffic) and YARA rules (available from Unit 42’s public repository) help identify infections; regular patching is not sufficient since Gomir does not exploit CVEs, but monitoring for anomalous outbound connections is critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.