Kobalos, a complex Linux malware targets high-performance computing clusters

ESET experts uncovered a previously undocumented piece of malware that had been observed targeting high-performance computing clusters (HPC).

ESET analyzed a new piece of malware, dubbed Kobalos, that was employed in attacks against high-performance computing clusters (HPC).

The name Kobalos comes from a small sprite from Greek mythology, a mischievous creature fond of tricking and frightening mortals.

Kobalos is a small Linux malware, only 25 Kb for x86-64 samples, that also works on FreeBSD and Solaris, and possibly on Windows and AIX systems as well.

Evidence of the malware activity was first spotted in late 2019, but the threat actors behind the malware remained active throughout 2020.

“Kobalos is a generic backdoor in the sense that it contains broad commands that don’t reveal the intent of the attackers.” reads the analysis published by ESET. “In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers.”

The researchers were not able to reveal the intent of the attackers behind the malware either to link the threat to previously reported infections.

The experts pointed out that Kobalos has not been used to abuse infected supercomputers for cryptocurrency mining.

Experts noticed that it is possible to determine a Kobalos infection by connecting to the SSH server using a specific TCP source port, using that knowledge they were able to scan the internet to find potential victims.

The list of systems targeted by Kobalos included high-performance computing clusters (HPC), an endpoint security solutions provider, government agencies, and personal servers in North America, universities, hosting firms in Europe, and a major ISP in Asia.

Kobalos stands out for including the C&C code within itself, a design choice that allows operators to turn any compromised server into a C&C.

ESET researchers also noticed that attackers deployed on the infected systems a tool designed to steal credentials from SSH clients. The tool is a tainted OpenSSH client, attackers likely used it to steal SSH credentials and use them to spread to other servers within the target organization.

The level of sophistication for the Kobalos malware is rarely seen in Linux malware, for this reason, experts believe it may be running around for a little while and it will be continuously improved.

“The numerous well-implemented features and the network evasion techniques show the attackers behind Kobalos are much more knowledgeable than the typical malware author targeting Linux and other non-Windows systems,” concludes ESET. “Their targets, being quite high profile, also show that the objective of the Kobalos operators isn’t to compromise as many systems as possible. Its small footprint and network evasion techniques may explain why it went undetected until we approached victims with the results of our internet-wide scan.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Intel)

[adrotate banner=”5″]

[adrotate banner=”13″]