New Kobalos Linux malware steals SSH credentials from supercomputers

A new backdoor program has targeted supercomputers all over the world, which uses a trojaned OpenSSH software to steal credentials for secure network connections. The malware does not widely affect all kinds of computer equipment, and mainly targets high-performance computing (HPC) and servers in academic and research networks.

Security researchers from the security company ESET discovered the malware and named it after the creature Kobalos in Greek mythology who likes to deceive and threaten mortals.

ESET stated that Kobalos malware has a small but very complex code base that can be executed on Linux and UNIX-like platforms. During the analysis, ESET also discovered that the malicious program may also have variants on AIX and Windows operating systems.

After creating a fingerprint for malware, ESET runs a scan of the entire Internet to find users threatened by Kobalos. They found that many of the infected were supercomputers and servers in academic and research fields. Other affected include a software security provider in North America, a large Asian ISP, marketing agencies, and managed service providers.

However, these malware-affected systems have a common feature, that is, they are running old, unsupported, or unpatched operating systems and software, so they are more vulnerable.

Although the researchers spent several months analyzing the malware, because of the common commands contained and no specific payload, they have not yet been able to determine its exact purpose. And as the investigation deepened, they also discovered that Kobalos has been active in attacks on supercomputers since the end of 2019. But so far, there has not been any attempt to mine digital currency or run computationally intensive tasks.

Kobalos provides remote access to the file system, it can generate a terminal session, which allows an attacker to run arbitrary commands. Researchers believe that the act of stealing credentials can explain how the malware spreads to other systems on the same network. Because students and researchers from multiple universities can usually access supercomputer clusters via SSH.

Kobalos is very lightweight. The 32/64-bit sample is only 24 KB in size, but it is a complex malware with custom obfuscation and anti-forensics technology, which prevents research institutions from analyzing it. The volume is rich in functions.

One interesting feature that makes Kobalos stand out is that its code is bundled into a function and has only one call to legitimate OpenSSH code. However, it has a nonlinear control flow that calls this function recursively to perform subtasks, a total of 37 operations are supported, one of which can turn any infected machine into a command and control (C2) server for other machines.

ESET has notified all companies or institutions affected by Kobalos and ESET will work with them to identify and resolve the issue.