Malware for Linux Kobalos attacks supercomputers

Malware for Linux Kobalos has complex code, which is very rare for malware written for Linux. ESET Researchers spoke about a new malware attacking supercomputers.

Experts named it Kobalos in honor of the character of ancient Greek mythology, where Kobalos is a mischievous spirit who adores deceiving and frightening people. A major Asian Internet provider and an American provider of security solutions have already become victims of the malware.

The researchers point out that Kobalos is interesting for several reasons.

“Its codebase is very small but complex enough to attack Linux, BSD, and Solaris. Moreover, such complex code is very rare for malware written for Linux”, – say ESET experts.

According to experts, Kobalos may also be suitable for attacks on AIX and Microsoft Windows.

Together with the computer security team of the European Organization for Nuclear Research (CERN), ESET researchers have determined that “unique multiplatform” malware attacks computing clusters (HPC). In some cases, additional malware intercepted the server’s SSH connection in order to steal the credentials that attackers used to gain access to HPC and deploy Kobalos. The use of this info-stealer partly explains how the malware spreads.

Kobalos is essentially a backdoor. Once installed on a supercomputer, it is embedded in the executable file (sshd) of the OpenSSH server and launches the backdoor functionality if a call is made through a specific TCP port.

“There are other variants of Kobalos that do not fit into sshd. These versions either connect to a C&C server acting as an intermediary, or wait for an incoming connection on a given TCP port”, — ESET researchers report.

Kobalos gives its operators remote access to file systems, allows launching of the terminal sessions, and also acts as points of connection to other servers infected with malware.

A unique feature of Kobalos is its ability to turn any compromised server into a C&C server with just one command. Since the IP addresses and ports of the C&C server are hardcoded into the executable, malware operators can generate new Kobalos samples using this new C&C server.

Interestingly, the researchers failed to establish goals that malware is pursuing. No other malware, except for Kobalos itself and the info-stealer, was also found on infected systems.

Let me remind you that I also wrote here about FreakOut malware that attacks Linux systems and uses them for DDoS and mining.

Exit mobile version