linux threat

Kobalos Linux malware hijacks supercomputers around the world

Introduction

It is reported that a small but complex malware variant is targeting global supercomputers. The malware was named Kobalos and launched an attack on supercomputers used by large Asian Internet Service Providers (ISPs), US terminal security vendors and many private servers. Kobalos used a Trojan version of OpenSSH software to steal the secure network connection. Credentials.

Kobalos has a small but very complex code base. Kobalos can be used in 32/64-bit systems with a size of only 24KB and can be executed on other UNIX platforms (FreeBSD, Solaris). Some components discovered during the analysis indicate that there may be variants of AIX and Windows operating systems.

After creating fingerprints for Kobalos, ESET scanned the entire Internet to find Kobalos victims. They found that many of the infected systems are supercomputers and servers in academic and research fields. Other victims include the endpoints of an undisclosed software security provider in North America, a large Asian ISP, marketing agency and hosting service provider.

kobalos

The industry and region where the infected organization is located

In a sense, Kobalos is a general that contains a wide range of commands that cannot reveal the attacker’s intentions. Kobalos grants remote access to the file system, provides the ability to generate terminal sessions, and allows the agent to connect to other Kobalos-infected servers. The function overview and access method are as follows:

kobalos

Kobalos function overview and access methods

Although the researchers spent months analyzing the malware, they were unable to determine the exact purpose of the because of the common commands contained and no specific payload. Through the investigation of the victim computer, it was discovered that Kobalos stole the existing SSH in the form of a Trojan horse OpenSSH client.

In Conclusion:

Researchers could not determine the attacker’s intentions. No other malware was found on the infected computer, with the exception of SSH credential stealing programs.
The way that Kobalos is tightly contained in a single function and the way that existing open ports are used to access Kobalos make this threat difficult to detect. This complexity is rare in Linux malware. Considering that it is more advanced than the average level of other malware and damages important organizations, Kobalos may continue to operate for a period of time.

IOCs

yara
https://github.com/eset/malware-ioc/blob/master/kobalos/kobalos.yar

Kobalos
7538d0ec96869fd53d7c613a108846c0
2c693d26ba9df26edf77557c1a709528
f54ba4ac2eeb5c12a513872acabecbc6
fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe
479f470e83f9a5b66363fba5547fdfcf727949da
affa12cc94578d63a8b178ae19f6601d5c8bb224
325f24e8f5d56db43d6914d9234c08c888cdae50
a4050a8171b0fa3ae9031e0f8b7272facf04a3aa
d51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983
73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58
9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74

SSH credential stealer
87837cc81c346e2a38ab1fe5e4826af2
4e52980f06f211668df959175d6c3d58
bc49dd3da0b2cb1425a466a3d2f0ed41
6616de799b5105ee2eb83bbe25c7f4433420dff7
e094dd02cc954b6104791925e0d1880782b046cf
1dd0edc5744d63a731db8c3b42efbd09d91fed78
c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba
659cbdf9288137937bb71146b6f722ffcda1c5fe
6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a
75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45
13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a