Malware for Linux Kobalos attacks supercomputers

Malware for Linux Kobalos has complex code, which is very rare for malware written for Linux. ESET Researchers spoke about a new malware attacking supercomputers.

Experts named it Kobalos in honor of the character of ancient Greek mythology, where Kobalos is a mischievous spirit who adores deceiving and frightening people. A major Asian Internet provider and an American provider of security solutions have already become victims of the malware.

The researchers point out that Kobalos is interesting for several reasons.

“Its codebase is very small but complex enough to attack Linux, BSD, and Solaris. Moreover, such complex code is very rare for malware written for Linux”, – say ESET experts.

According to experts, Kobalos may also be suitable for attacks on AIX and Microsoft Windows.

Together with the computer security team of the European Organization for Nuclear Research (CERN), ESET researchers have determined that “unique multiplatform” malware attacks computing clusters (HPC). In some cases, additional malware intercepted the server’s SSH connection in order to steal the credentials that attackers used to gain access to HPC and deploy Kobalos. The use of this info-stealer partly explains how the malware spreads.

Kobalos is essentially a backdoor. Once installed on a supercomputer, it is embedded in the executable file (sshd) of the OpenSSH server and launches the backdoor functionality if a call is made through a specific TCP port.

“There are other variants of Kobalos that do not fit into sshd. These versions either connect to a C&C server acting as an intermediary, or wait for an incoming connection on a given TCP port”, — ESET researchers report.

Kobalos gives its operators remote access to file systems, allows launching of the terminal sessions, and also acts as points of connection to other servers infected with malware.

A unique feature of Kobalos is its ability to turn any compromised server into a C&C server with just one command. Since the IP addresses and ports of the C&C server are hardcoded into the executable, malware operators can generate new Kobalos samples using this new C&C server.

Interestingly, the researchers failed to establish goals that malware is pursuing. No other malware, except for Kobalos itself and the info-stealer, was also found on infected systems.

Let me remind you that I also wrote here about FreakOut malware that attacks Linux systems and uses them for DDoS and mining.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button