Kobalos is, in essence, a back door. Once the malware lands on a supercomputer, the code flows into an OpenSSH server executable. It will then trigger the backdoor if a call is made through a specific TCP source port. Other variants act as intermediaries for traditional command and control (C2) server connections.
This Linux malware hijacks supercomputers around the world. ESET performed reverse engineering of the malware and its description. Kobalos’ codebase is tiny, but not its impact. The malware has been traced back to attacks on supercomputers used by a significant Asian Internet service provider, a US endpoint security provider and several private servers, among other targets.
Kobalos is unusual for several reasons. Its code base is tiny but sophisticated enough to at least impact Linux, BSD, and Solaris operating systems. ESET suspects that it may also be compatible with attacks against AIX and Microsoft Windows machines. According to cybersecurity researcher Marc-Étienne Léveillé, it must be said that this level of sophistication is rarely seen in Linux malware.
While working with the CERN IT Security team, ESET realized that this unique, cross-platform malware was targeting high-performance computer (HPC) clusters. In some cases of infection, sidekick malware appears to be hijacking SSH server connections to steal credentials to obtain access to HPC clusters to deploy Kobalos. The presence of this credential thief may partially explain how Kobalos is spreading.
Kobalos grants its operators remote access to file systems. This allows them to generate terminal sessions and serves as their connection points to other servers infected with the malware. ESET says that Kobalos’s ability to turn any compromised server into C2 with a single command is a unique malware feature. Since the C2 server IP addresses and ports are hard-coded into the executable, operators can generate new Kobalos samples that use this new C2 server.
More research is needed on Kobalos
Analyzing malware was a real challenge. According to ESET’s explanation, all of its code is indeed kept in a single function called recursively to perform sub-tasks. ESEt adds that all channels are encrypted as an additional barrier to reverse engineering. More research efforts must be made on the malware and who might be responsible for its development from now on.
Researchers have not been capable of determining the intentions of the Kobalos operators. No other malware, except SSH credential thief, was found by system administrators of compromised machines. The researchers hope the details they revealed will help raise awareness and understand this threat.
Hackers have infiltrated supercomputers in Europe. A reasonably sophisticated backdoor has been detected. But its mission has not yet been determined. Eset security researchers have discovered the presence of a backdoor in European supercomputers. Called “Kobalos”, this malicious code is relatively small – 25 kb – but still quite sophisticated.
It can infect many types of systems such as Linux, BSD, Solaris, and possibly AIX and Windows. Each instance provides access to the filesystem, issue remote commands, and steal SSH credentials. Each can also become a command and control server for the others, making it easier to control the different infected machines. Among the victims are many university research networks and, in particular, high-performance computing systems.
The purpose and origin of this operation is not clear. It may be linked to this wave of cryptojacking that targeted specific supercomputers in 2020. “On the one hand, these different attacks are based on different tools and tactics and do not have the same sophistication level. On the other hand, there is an overlap in the IP addresses used to launch these attacks,” the researchers find.