Kobalos is a sophisticated Linux malware that has a small, yet complex codebase. In January 2021, ESET Researchers discovered this malware actively targeting high-performing computers across multiple organizations. Although the malware's codebase is tiny it is enough to attack Linux, BSD, Solaris and probably other operating systems as well.
|Credential Stealer, Backdoor
|IT & ITES, Government services
Kobalos was detected targeting supercomputer clusters in Poland, Canada and China. Kobalos operators deploy a different malware to hijack SSH server connections and steal credentials. Followed by which, the stolen credentials are used to penetrate the computer clusters to mobilize Kobalos. It works as a backdoor and abuses specific TCP source ports.
Kobalos allows attackers to access the file system remotely, generate terminal sessions, etc. One of the unique features of this malware is that it can turn a compromised server into a C2 server with a single command. Once the malware is dropped on a supercomputer, the code is hidden in an OpenSSH server executable and Kobalos listens to a specific TCP source port which then triggers the backdoor. The other Kobalos variants act as middlemen for traditional command-and-control (C2) server connections.
[caption id="attachment_10009" align="alignnone" width="768"]
Kobalos features and ways to access them[/caption]
Kobalos code is held in a single function that periodically calls itself to perform subtasks making it harder for reverse engineering. The backdoor requires a private 512-bit RSA key and a 32-byte-long password to be executed. Once validated RC4 keys are exchanged and further communication is encrypted with them.
MITRE ATT&CK Tactics
||Compromise Client Software Binary (TI554), Traffic Signaling (TI205)
||Clear Command History (T1070.003), Timestomp (T1070.006), Software Packing (T1027.002)
|Command and Control
||Encrypted Channel: Symmetric Cryptography (T1573.001), Encrypted Channel: Asymmetric Cryptography (T1573.002), Proxy: Multi-hop Proxy (T1090.003)
- Financial loss to the organization if its operations are interrupted
- Loss of brand reputation
- Compromised PII leads to social engineering attacks
Creates a backdoor which allows access to the user’s device. Through which the attacker will be able to modify files or launch the malicious software.
Indicators of Compromise
- Use updated antivirus software that detects and stops malware infections
- Apply critical patches to the system and application
- Use strong passwords and enable 2FA over logins
- Check the privileges and permission allotted to the user
- Make it easy for users to report suspicious behavior
- Back-up data regularly