Kobalos Malware Threat Intel Advisory

CloudSEK threat intelligence advisory on Kobalos malware with a small yet complex codebase, targeting multiple operating systems.
Updated on
April 19, 2023
Published on
March 5, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Advisory
Malware Advisory
Type
Credential Stealer, Backdoor
Name
Kobalos Malware
Affected Industries
IT & ITES, Government services
  Kobalos is a sophisticated Linux malware that has a small, yet complex codebase. In January 2021, ESET Researchers discovered this malware actively targeting high-performing computers across multiple organizations. Although the malware's codebase is tiny it is enough to attack Linux, BSD, Solaris and probably other operating systems as well.  

Execution

Kobalos was detected targeting supercomputer clusters in Poland, Canada and China. Kobalos operators deploy a different malware to hijack SSH server connections and steal credentials. Followed by which, the stolen credentials are used to penetrate the computer clusters to mobilize Kobalos. It works as a backdoor and abuses specific TCP source ports. Kobalos allows attackers to access the file system remotely, generate terminal sessions, etc. One of the unique features of this malware is that it can turn a compromised server into a C2 server with a single command. Once the malware is dropped on a supercomputer, the code is hidden in an OpenSSH server executable and Kobalos listens to a specific TCP source port which then triggers the backdoor. The other Kobalos variants act as middlemen for traditional command-and-control (C2) server connections. [caption id="attachment_10009" align="alignnone" width="768"]Kobalos Kobalos features and ways to access them[/caption]   Kobalos code is held in a single function that periodically calls itself to perform subtasks making it harder for reverse engineering. The backdoor requires a private 512-bit RSA key and a 32-byte-long password to be executed. Once validated RC4 keys are exchanged and further communication is encrypted with them.  

MITRE ATT&CK Tactics

Tactic
Name/ ID
Persistence Compromise Client Software Binary (TI554), Traffic Signaling (TI205)
Defense Evasion Clear Command History (T1070.003), Timestomp (T1070.006), Software Packing (T1027.002)
Command and Control Encrypted Channel: Symmetric Cryptography (T1573.001), Encrypted Channel: Asymmetric Cryptography (T1573.002), Proxy: Multi-hop Proxy (T1090.003)
 

Impact

Business Impact
  1. Financial loss to the organization if its operations are interrupted
  2. Loss of brand reputation
  3. Compromised PII leads to social engineering attacks
Technical Impact
Creates a backdoor which allows access to the user’s device. Through which the attacker will be able to modify files or launch the malicious software.  

Indicators of Compromise

   SHA1
  1. 1dd0edc5744d63a731db8c3b42efbd09d91fed78
  2. 325f24e8f5d56db43d6914d9234c08c888cdae50
  3. 479f470e83f9a5b66363fba5547fdfcf727949da
  4. 659cbdf9288137937bb71146b6f722ffcda1c5fe
  5. 6616de799b5105ee2eb83bbe25c7f4433420dff7
  6. a4050a8171b0fa3ae9031e0f8b7272facf04a3aa
  7. affa12cc94578d63a8b178ae19f6601d5c8bb224
  8. c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba
  9. e094dd02cc954b6104791925e0d1880782b046cf
  10. fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe
    SHA256
  1. 13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a
  2. 29e2f15a4a6275f43d86cf613c2934171aa5be187da7fdaa99a006245890de1f
  3. 4d610283c93904d984a42269aef65c2cab89f4a127d9c229a700e6aaf9d7000e
  4. 6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a
  5. 73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58
  6. 75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45
  7. 9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74
  8. d51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983
  9. dd1b3cd0042d4c090bc72099f30e4b76d5f2772f9f9f95176f2c59bc2ac30aa8
  10. f8c931767bc0ab951b72ab691163e6d1fc3c50e4ceee5277858d3e77a0c02e92
 

Mitigation

  1. Use updated antivirus software that detects and stops malware infections
  2. Apply critical patches to the system and application
  3. Use strong passwords and enable 2FA over logins
  4. Check the privileges and permission allotted to the user
  5. Make it easy for users to report suspicious behavior
  6. Back-up data regularly 

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations