Malware

Kobalos, a complex Linux malware targets high-performance computing clusters

ESET experts uncovered a previously undocumented piece of malware that had been observed targeting high-performance computing clusters (HPC).

ESET analyzed a new piece of malware, dubbed Kobalos, that was employed in attacks against high-performance computing clusters (HPC).

The name Kobalos comes from a small sprite from Greek mythology, a mischievous creature fond of tricking and frightening mortals.

Kobalos is a small Linux malware, only 25 Kb for x86-64 samples, that also works on FreeBSD and Solaris, and possibly on Windows and AIX systems as well.

Evidence of the malware activity was first spotted in late 2019, but the threat actors behind the malware remained active throughout 2020.

“Kobalos is a generic backdoor in the sense that it contains broad commands that don’t reveal the intent of the attackers.” reads the analysis published by ESET. “In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers.”

The researchers were not able to reveal the intent of the attackers behind the malware either to link the threat to previously reported infections.

The experts pointed out that Kobalos has not been used to abuse infected supercomputers for cryptocurrency mining.

Experts noticed that it is possible to determine a Kobalos infection by connecting to the SSH server using a specific TCP source port, using that knowledge they were able to scan the internet to find potential victims.

The list of systems targeted by Kobalos included high-performance computing clusters (HPC), an endpoint security solutions provider, government agencies, and personal servers in North America, universities, hosting firms in Europe, and a major ISP in Asia.

Kobalos stands out for including the C&C code within itself, a design choice that allows operators to turn any compromised server into a C&C.

ESET researchers also noticed that attackers deployed on the infected systems a tool designed to steal credentials from SSH clients. The tool is a tainted OpenSSH client, attackers likely used it to steal SSH credentials and use them to spread to other servers within the target organization.

The level of sophistication for the Kobalos malware is rarely seen in Linux malware, for this reason, experts believe it may be running around for a little while and it will be continuously improved.

“The numerous well-implemented features and the network evasion techniques show the attackers behind Kobalos are much more knowledgeable than the typical malware author targeting Linux and other non-Windows systems,” concludes ESET. “Their targets, being quite high profile, also show that the objective of the Kobalos operators isn’t to compromise as many systems as possible. Its small footprint and network evasion techniques may explain why it went undetected until we approached victims with the results of our internet-wide scan.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Intel)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Players hacked during the matches of Apex Legends Global Series. Tournament suspended

On Sunday, two competitive esports players were hacked while participating at the Apex Legends Global Series…

8 mins ago

Earth Krahang APT breached tens of government organizations worldwide

Trend Micro uncovered a sophisticated campaign conducted by Earth Krahang APT group that breached 70…

3 hours ago

PoC exploit for critical RCE flaw in Fortra FileCatalyst transfer tool released

Fortra addressed a critical remote code execution vulnerability impacting its FileCatalyst file transfer product. Fortra has released…

15 hours ago

Fujitsu suffered a malware attack and probably a data breach

Technology giant Fujitsu announced it had suffered a cyberattack that may have resulted in the…

16 hours ago

Remove WordPress miniOrange plugins, a critical flaw can allow site takeover

A critical vulnerability in WordPress miniOrange's Malware Scanner and Web Application Firewall plugins can allow…

23 hours ago

The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats

Resecurity reported about the increasing wave of cyber incidents targeting the aerospace and aviation sectors.…

1 day ago

This website uses cookies.