Kobalos Malware Threat Intel Advisory

Published 05 March 2021


  • Kobalos is a sophisticated malware that has a small yet complex codebase
  • The malware targets Linux, BSD, Solaris and other operating systems

Share this Threat Intel:

Advisory
Malware Advisory
Type
Credential Stealer, Backdoor
Name
Kobalos Malware
Affected Industries
IT & ITES, Government services

 

Kobalos is a sophisticated Linux malware that has a small, yet complex codebase. In January 2021, ESET Researchers discovered this malware actively targeting high-performing computers across multiple organizations. Although the malware’s codebase is tiny it is enough to attack Linux, BSD, Solaris and probably other operating systems as well.

 

Execution

Kobalos was detected targeting supercomputer clusters in Poland, Canada and China. Kobalos operators deploy a different malware to hijack SSH server connections and steal credentials. Followed by which, the stolen credentials are used to penetrate the computer clusters to mobilize Kobalos. It works as a backdoor and abuses specific TCP source ports.

Kobalos allows attackers to access the file system remotely, generate terminal sessions, etc. One of the unique features of this malware is that it can turn a compromised server into a C2 server with a single command. Once the malware is dropped on a supercomputer, the code is hidden in an OpenSSH server executable and Kobalos listens to a specific TCP source port which then triggers the backdoor. The other Kobalos variants act as middlemen for traditional command-and-control (C2) server connections.

Kobalos
Kobalos features and ways to access them

 

Kobalos code is held in a single function that periodically calls itself to perform subtasks making it harder for reverse engineering. The backdoor requires a private 512-bit RSA key and a 32-byte-long password to be executed. Once validated RC4 keys are exchanged and further communication is encrypted with them.

 

MITRE ATT&CK Tactics

Tactic
Name/ ID
Persistence Compromise Client Software Binary (TI554), Traffic Signaling (TI205)
Defense Evasion Clear Command History (T1070.003), Timestomp (T1070.006), Software Packing (T1027.002)
Command and Control Encrypted Channel: Symmetric Cryptography (T1573.001), Encrypted Channel: Asymmetric Cryptography (T1573.002), Proxy: Multi-hop Proxy (T1090.003)

 

Impact

Business Impact
  1. Financial loss to the organization if its operations are interrupted
  2. Loss of brand reputation
  3. Compromised PII leads to social engineering attacks
Technical Impact

Creates a backdoor which allows access to the user’s device. Through which the attacker will be able to modify files or launch the malicious software.

 

Indicators of Compromise

   SHA1
  1. 1dd0edc5744d63a731db8c3b42efbd09d91fed78
  2. 325f24e8f5d56db43d6914d9234c08c888cdae50
  3. 479f470e83f9a5b66363fba5547fdfcf727949da
  4. 659cbdf9288137937bb71146b6f722ffcda1c5fe
  5. 6616de799b5105ee2eb83bbe25c7f4433420dff7
  6. a4050a8171b0fa3ae9031e0f8b7272facf04a3aa
  7. affa12cc94578d63a8b178ae19f6601d5c8bb224
  8. c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba
  9. e094dd02cc954b6104791925e0d1880782b046cf
  10. fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe
    SHA256
  1. 13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a
  2. 29e2f15a4a6275f43d86cf613c2934171aa5be187da7fdaa99a006245890de1f
  3. 4d610283c93904d984a42269aef65c2cab89f4a127d9c229a700e6aaf9d7000e
  4. 6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a
  5. 73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58
  6. 75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45
  7. 9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74
  8. d51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983
  9. dd1b3cd0042d4c090bc72099f30e4b76d5f2772f9f9f95176f2c59bc2ac30aa8
  10. f8c931767bc0ab951b72ab691163e6d1fc3c50e4ceee5277858d3e77a0c02e92

 

Mitigation

  1. Use updated antivirus software that detects and stops malware infections
  2. Apply critical patches to the system and application
  3. Use strong passwords and enable 2FA over logins
  4. Check the privileges and permission allotted to the user
  5. Make it easy for users to report suspicious behavior
  6. Back-up data regularly 

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.