Skip to main content

Kobalos Backdoor

Linux backdoor that can utilise high performance computing (HPC) clusters as command and control (C2) servers.

Threat ID:
CC-3744
Category:
Backdoor
Threat Severity:
Low
Threat Vector:
Backdoor
Published:
5 February 2021 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Linux backdoor that can utilise high performance computing (HPC) clusters as command and control (C2) servers.

Affected platforms

The following platforms are known to be affected:

Linux-based high performance computing clusters and servers

Threat details

Introduction

Kobalos is a backdoor that has been observed targeting Linux-based high performance computing (HPC) clusters and servers, primarily within academic and research networks.

Delivery

At the time of publication it is not known exactly how Kobalos is distributed, but it is possible that the login credentials it steals are later used to compromise additional hosts. Some compromised hosts were found to be running unpatched software with known vulnerabilities that may have also been exploited.

Activities

When a system has been compromised Kobalos enables access to the file system and can create terminal sessions. Kobalos can either run standalone, or embedded within the system's OpenSSH server executable to steal credentials during logins. Kobalos can use compromised servers for command and control (C2), proxying connections to other infected servers. The overall objective of the threat actors operating Kobalos is currently unknown.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators
  • Non-SSH traffic on an SSH server port (Kobalos does not exchange an SSH banner)
Host indicators

File hashes (SHA-1):

  • FBF0A76CED2939D1F7EC5F9EA58C5A294207F7FE
  • 479F470E83F9A5B66363FBA5547FDFCF727949DA
  • AFFA12CC94578D63A8B178AE19F6601D5C8BB224
  • 325F24E8F5D56DB43D6914D9234C08C888CDAE50
  • A4050A8171B0FA3AE9031E0F8B7272FACF04A3AA
  • 6616DE799B5105EE2EB83BBE25C7F4433420DFF7
  • E094DD02CC954B6104791925E0D1880782B046CF
  • 1DD0EDC5744D63A731DB8C3B42EFBD09D91FED78
  • C1F530D3C189B9A74DBE02CFEB29F38BE8CA41BA
  • 659CBDF9288137937BB71146B6F722FFCDA1C5FE

Keys:

  • MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOUgD8sEF1kZ04QxCd60HrB+TxWnLQEDwzb0sZ8vMMD6xnUAJspdYzSVDnRnKYjTOM43qtLNcJOwVj6cuC1uHHMCAwEAAQ==
  • AE0E05090F3AC2B50B1BC6E91D2FE3CE

YARA rules:

rule kobalos
{
meta:
 description = “Kobalos malware”
 author = “Marc-Etienne M.Léveillé”
 date = “2020-11-02”
 reference = “http://www.welivesecurity.com”
 source = “https://github.com/eset/malware-ioc/”
 license = “BSD 2-Clause”
 version = “1”
strings:
 $encrypted_strings_sizes = {
 05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00
 08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00
 01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00
 05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00
 }
 $password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C }
 $rsa_512_mod_header = { 10 11 02 00 09 02 00 }
 $strings_RC4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE }
condition:
 any of them
}

rule kobalos_ssh_credential_stealer {
meta:
 description = “Kobalos SSH credential stealer seen in OpenSSH client”
 author = “Marc-Etienne M.Léveillé”
 date = “2020-11-02”
 reference = “http://www.welivesecurity.com”
 source = “https://github.com/eset/malware-ioc/”
 license = “BSD 2-Clause”
 version = “1”
strings:
 $ = “user: %.128s host: %.128s port %05d user: %.128s password: %.128s”
condition:
 any of them
}

Last edited: 5 February 2021 11:22 am