Security researchers from ESET discovered an unusual malware that is attacking supercomputers worldwide. Named “Kobalos” in deference to the kobalos, a small, mischievous creature in Greek mythology, the malware is small, yet complex and is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows.
Kobalos is a backdoor that has been traced back to attacks against high performance computing (HPC) clusters in Europe, as well as a large Asian ISP, a North American endpoint security vendor and some personal servers.
“We’ve worked with the CERN Computer Security Team and other organizations involved in mitigating attacks on scientific research networks. According to them, the usage of the Kobalos malware predates the other incidents. While we know Kobalos compromised large HPC clusters, no one could link the Kobalos incidents to the use of cryptocurrency malware. The malware and the techniques described in these other attacks are different,” the researchers said.
Kobalos grants its operators remote access to file systems, allows them to spawn terminal sessions, and also acts as connection points to other compromised servers. The researchers observed multiple methods used by the malware operators to connect to a Kobalos-infected machine. For example, once Kobalos is embedded in the OpenSSH server executable (sshd) it will trigger the backdoor code if the connection is coming from a specific TCP source port.
Additionally, ESET found stand-alone variants of the malware that either connect to an attacker-controlled server that will act as a middleman, or wait for an inbound connection on a given TCP port.
“Something that makes Kobalos unique is the fact that the code for running a C&C server is in Kobalos itself. Any server compromised by Kobalos can be turned into a C&C server by the operators sending a single command. As the C&C server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C&C server,” the researchers wrote.
In addition, in most systems compromised by Kobalos, the client for secure communication (SSH) is compromised to steal credentials.
“The presence of this credential stealer may partially answer how Kobalos propagates. Anyone using the SSH client of a compromised machine will have their credentials captured. Those credentials can then be used by the attackers to install Kobalos on the newly discovered server later,” the researchers explained.
ESET said it was not able to determine the intentions of the Kobalos’ operators and that no other malware was found on the infected machines, except for the SSH credential stealer.
“The way Kobalos is tightly contained in a single function and the usage of an existing open port to reach Kobalos makes this threat harder to find […]This level of sophistication is only rarely seen in Linux malware. Given that it’s more advanced than the average and that it compromised rather large organizations, Kobalos may be running around for a little while,” the cybersecurity firm added.