Tiny Kobalos malware seen backdooring SSH tools, menacing supercomputers, an ISP, and more – ESET

ESET researchers say they have found a lightweight strain of malware that targets multiple OSes and has hit supercomputers, an ISP, and other organisations.

Nicknamed Kobalos, the software nasty is said to be portable to Linux, the BSDs, Solaris, and possibly AIX and Windows. ESET researchers Marc-Etienne M.Léveillé and Ignacio Sanmillan appear to have analysed primarily the Linux version of the code. Here's a summary of the key findings from their research:

• How it gets onto servers is unclear though systems infected by Kobalos have their SSH client tampered with to steal usernames and passwords, and presumably server addresses, that are typed into it. These details could be used by the malware's masterminds to log into those systems to propagate their malware. This would be especially possible if the stolen username-password combos were for superuser-level or sudoers accounts. Thus, miscreants can gradually take over more and more machines, one account at a time, from just one compromised computer. Changing the SSH client will need admin-level access, we note, or some PATH shenanigans.
• Kobalos is typically hidden in an infected machine's OpenSSH server executable and activates a backdoor if it receives a connection from a particular source TCP port, usually 55201. Once an encrypted connection is established, this backdoor can be used like a remote terminal, executing arbitrary commands entered by its operators.
• The malware can also connect to a command-and-control (C2) server that links the software to its masterminds. An infected server can also act as a proxy between the operators and another compromised box. Public-facing IP addresses and port numbers for these C2 machines may be hardcoded into the next Kobalos build.
• According to ESET, a large Asian ISP, a North American endpoint security vendor, a European marketing agency, university networks, people's personal servers, and other kit were found to be hit by the malware as well supercomputer clusters.
• ESET was separately working with CERN's computer security team to protect the super-lab's networks from whoever it was going around installing cryptocurrency miners and the like on high-performance rigs.

The ESET duo also hat-tipped Maciej Kotowicz of MalwareLab.pl for also analysing the malware. The above-linked advisory includes details on how to detect the backdoor and how to thwart its spread. Using multi-factor authentication for SSH is a recommended option as it should prevent the use of stolen usernames and passwords. Plenty more technical details and reverse-engineering of the code and its use of encryption can be found here [PDF].

ESET was unwilling to attribute the malware to any known group of hackers or nation states. And what's in a name? Léveillé and Sanmillan said: "We have named this malware Kobalos for its tiny code size and many tricks; in Greek mythology, a kobalos is a small, mischievous creature."

Linux malware is uncommon but far from unknown. Last year Microsoft declared its support for hunting down in-memory malware targeting Linux servers while China's APT41 was revealed to have spent five years poking around various Linux boxen. ®