Kobalos Malware

The Kobalos Malware is a threatening Linux backdoor that can infect a wide range of operating systems, including Linux, BSD, Solaris and potentially AIX and Windows. The research that analyzed the threat discovered that it exhibited a sophisticated package of threatening and anti-detection features. It appears that the main targets of the attack campaign involving the Kobalos Malware are high-performance computing (HPC) clusters, primarily located in Europe. The threat also has compromised an endpoint security software vendor in the U.S. and a large Internet service provider from Asia.

The Kobalos Malware is capable of carrying out all of the generic threatening functions associated with a backdoor threat, which makes determining the real purpose of the campaign that much harder. Once established inside the infected target, the threat can manipulate the file system, spawn terminal sessions, and initiate proxied connections to other infected systems. To reach their malware tool, the hackers can use several different methods. In most cases, the Kobalos Malware is embedded in the OpenSSH server executable (sshd), and, to trigger the backdoor functionality, the inbound connection must come from a specific TCP source port. If a standalone variant not embedded in the sshd is deployed, it can attempt to reach a Command-and-Control (C2, C&C) server or waits for a connection on a given TCP port.

A unique aspect of Kobalos discovered by the infosec researchers is that the threat carries with itself the necessary code to run a C&C server. In practice, this means that any compromised server can be turned into a C&C server for the threatening campaign with a single command from the attackers.

The hackers' true goal is impossible to discern, as no other malware payloads have been dropped onto the infected machines, except a credentials collector that modifies the SSH client of the victims. This data collector is rather basic in design and nowhere near the level of sophistication found in Kobalos. Earlier versions included unencrypted strings, while all of the misappropriated account credentials were deposited in a file stored on the disk. The hackers appear to be improving this tool of their arsenal actively, though, and more recent versions now include some obfuscation and are able to exfiltrate the collected usernames and passwords. Any credentials obtained by the threat actor could then be used to spread the Kobalos Malware further.