Powerful, but tiny-sized malware has been targeting supercomputers, especially those used in academia & scientific enterprises. It allows initial access for a variety of follow-on attacks, including credential theft – & potentially data exfiltration or cryptomining.
The sophisticated backdoor steals SSH credentials for servers in academic & scientific high-performance computing clusters.
That is according to ESET researchers, who discovered the Kobalos backdoor in recent months. The code grants remote access to the file system, allows attackers to create terminal sessions & allows proxying connections to other Kobalos-infected servers.
“Kobalos malware contains generic commands to read from & write to the file system and spawn a terminal to execute arbitrary commands,” they explained.
“Unfortunately, it doesn’t contain any specific payload that could indicate the intentions of its authors. The operators likely open a shell through the terminal & perform whatever commands they need to.”
Kobalos gets its name from Greek mythology. The kobaloi were companions of Dionysus, a band of mischievous sprites known for tricking & frightening mortals. ESET researchers adopted the name for the malware due to “for its tiny code size & many tricks,” they observed in an analysis released on Tues.
The backdoor is multiplatform & capable of attacking Linux, BSD, Solaris, & possibly AIX and Windows machines, researchers commented (they found strings related to Windows 3.11 & Windows 95, which are 25-year-old operating systems).
High Performance Computing (HPC)
So far, it has been seen going after high performance computing (HPC) clusters; but also, was seen infecting a large Asian ISP, a North American endpoint security vendor & a few personal servers.
ESET identified Kobalos victims by scanning for connections to SSH servers that use a specific TCP source port known to be abused by the malware.
“There are multiple ways for the operators to reach a Kobalos-infected machine,” according to ESET. “The method we’ve seen the most is where Kobalos is embedded in the OpenSSH server executable (sshd) & will trigger the backdoor code if the connection is coming from a specific TCP source port.”
However, there are other standalone variants that are not embedded in sshd; these either connect to a command-and-control server (C2) that will act as a middleman, or it will wait for an inbound connection on a given TCP port, the firm noted.
ESET researchers are unsure how the infected systems were compromised to gain administrative access to install the Kobalos backdoor, but an obvious possible entry point could be exploitation of a known vulnerability.
“Some of the compromised machines ran old, unsupported or unpatched operating systems & software,” they explained. “While the use of an undisclosed vulnerability isn’t impossible, a known exploit is more likely in this situation.”
Kobalos also is likely using stolen credentials – ESET observed that in systems compromised by Kobalos, any SSH client in use has credentials stolen using a 2nd-stage malware. This SSH credential stealer took the form of a trojanised OpenSSH client.
“The /usr/bin/ssh file was replaced with a modified executable that recorded username, password & target hostname, & wrote them to an encrypted file,” ESET researchers explained. Those stolen credentials can simply be used by the attackers to install Kobalos on the newly discovered server later.
To avoid being a victim, administrators should make sure patches are up to date & they should set up 2-factor authentication (2FA) for connecting to SSH servers, researchers noted: “Kobalos is another case where 2FA could have mitigated the threat, since the use of stolen credentials seems to be one of the ways it is able to propagate to different systems.”
The C2 server approach in Kobalos is interesting, according to the analysis – because it has the C2 code embedded within itself.
“Any server compromised by Kobalos can be turned into a C2 server by the operators sending a single command,” researchers explained. “As the C2 server IP addresses & ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C2 server.”
Kobalos also can be used as a proxy to connect other infected servers.
“It is not a generic TCP proxy; it expects communication to be encapsulated in packets specific to this threat. Also, a command can be sent to the proxy to ‘switch’ the connection to a new TCP port. Proxies can be chained, which means the operators can use multiple Kobalos-compromised machines to reach their targets.”
Interestingly, of the Kobalos code is tightly contained in 1 function, which “recursively calls itself to perform subtasks,” according to the analysis.
This compact architecture combines with other malware attributes to defy analysis. E.g., ESET pointed out that Kobalos’ usage of an existing open port makes the threat harder to find. All strings are encrypted, “so it’s more difficult to find the malicious code than when looking at the samples statically,” the report noted.
Using the backdoor requires a private 512-bit RSA key & a 32-byte-long password. Once both become validated, Kobalos generates & encrypts 2 x 16-byte keys with the RSA-512 public key & sends them to the attackers. These 2 keys are used to RC4 encrypt subsequent inbound & outbound traffic.
Overall, the Kobalos authors are clearly advanced attackers, ESET surmised.
“Numerous well-implemented features & the network-evasion techniques show the attackers behind Kobalos are much more knowledgeable than the typical malware author targeting Linux & other non-Windows systems,” according to the report. Its small footprint & network evasion techniques may explain why it went undetected until we approached victims with the results of our internet-wide scan.”
SSH Client Credential Theft
The credential stealer mentioned earlier is unique, researchers stated, & unlike any of the malicious OpenSSH clients the team has analysed in the past.
Different variants were found, including Linux & FreeBSD instances. In all cases, the main capabilities consist of stealing hostname, port, username & password used to establish an SSH connection from the compromised host, which are saved in an encrypted file.
“All samples found use the same simple cipher for the contents of the files; it simply adds 123 to each byte of data to be saved,” researchers explained. “For the FreeBSD version, the same format & cipher is applied. However, there are some small implementation differences, such as encrypting the file path in the malware with a single-byte XOR.”
Stolen SSH Credentials
The location of the file where the stolen SSH credentials are saved varies depending on the variant, but all samples create a file under /var/run with a legitimate looking “.pid” extension.
Newer versions of the credential-stealer contain an encrypted configuration & adds the functionality to exfiltrate credentials over UDP to a remote host specified in the configuration.
“Exfiltrating credentials over UDP is something Ebury & other SSH credential stealers such as Bonadan, Kessel & Chandrila have been doing,” the analysis read. “The choice of UDP could be to bypass a firewall & avoid creating TCP network flow to potentially untrusted hosts.”
The malware’s configuration includes the hostname of the victim & a specified file path for exfiltration, so that the cyber-attackers can track the origin of the credentials. “This also means that each compromised server receives a unique sample of the credential stealer,” researchers added.
Interestingly, the code lacks the sophistication of Kobalos itself, says ESET.
“For example, strings were left unencrypted, & stolen usernames & passwords are simply written to a file on disk,” researchers wrote. “However, we found newer variants that contain some obfuscation & the ability to exfiltrate credentials over the network.”
Attacks on HPCs have been found more in the last year.
An advisory from the European Grid Infrastructure (EGI) CSIRT last year warned that supercomputing clusters in Canada, China & Poland had been compromised to deploy cryptocurrency miners.
Also, the UK supercomputer known as ARCHER was compromised in May 2020 to steal SSH credentials.
It’s unclear if Kobalos is involved in these attacks; the CERN Computer Security Team responsible for mitigating attacks on scientific research networks did say that Kobalos’ existence predates the incidents, but ESET found that the techniques described in the cryptomining attacks in particular were different from Kobalos efforts.
Nevertheless, Kobalos has an interest in supercomputing, & these high-profile targets, show that the objective of the Kobalos operators is not to compromise as many systems as possible, researchers noted.
“It is not clear why the HPC community is overly represented among the victims of these attacks,” states the report. “HPC centres are obviously interesting targets but typically less easily accessible than other academic servers.”
Incident Response Teams
That observed, “CERN & other incident response teams have observed a number of legacy designs a& suboptimal security practices that played a key role in enabling the attackers to spread their attacks.
Also, most HPC victims were poorly prepared for forensics, in particular with regard to traceability.”
The credential-stealing part of Kobalos could also explain why many academic networks were compromised, they concluded: “If one of those system’s SSH clients was used by students or researchers from multiple universities, it could have leaked credentials to all these 3rd-party systems.”