Linux malware backdoors supercomputers
ESET researchers discovered Kobalos, a malware that has been attacking supercomputers – high performance computer (HPC) clusters – as well as other targets such as a large Asian ISP, a North American endpoint security vendor, and several privately held servers.
“Perhaps unrelated to the events involving Kobalos, there were multiple security incidents involving HPC clusters in the past year. Some of them hit the press and details were made public in an advisory from the European Grid Infrastructure (EGI) CSIRT about cases where cryptocurrency miners were deployed. The EGI CSIRT advisory shows compromised servers in Poland, Canada and China were used in these attacks. Press articles also mention Archer, a breached UK-based supercomputer where SSH credentials were stolen, but does not contain details about which malware was used, if any,” ESET researchers noted.
“We’ve worked with the CERN Computer Security Team and other organizations involved in mitigating attacks on scientific research networks. According to them, the usage of the Kobalos malware predates the other incidents.”
The malware attacks supercomputers, servers…
ESET researchers have reverse engineered this small, yet complex malware that is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows.
“We have named this malware Kobalos for its tiny code size and many tricks; in Greek mythology, a kobalos is a small, mischievous creature,” explains Marc-Etienne Léveillé, who investigated the malware. “It has to be said that this level of sophistication is only rarely seen in Linux malware.”
Kobalos is a backdoor containing broad commands that don’t reveal the intent of the attackers. It grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers, Léveillé notes.
Any server compromised by Kobalos can be turned into a Command & Control (C&C) server by the operators sending a single command. As the C&C server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C&C server.
In addition, in most systems compromised by Kobalos, the client for secure communication (SSH) is compromised to steal credentials. “Anyone using the SSH client of a compromised machine will have their credentials captured. Those credentials can then be used by the attackers to install Kobalos on the newly discovered server later,” Léveillé added.
Setting up two-factor authentication for connecting to SSH servers will mitigate the threat, since the use of stolen credentials seems to be one of the ways it is able to propagate to different systems.
“From a network perspective, it is possible to detect Kobalos by looking for non-SSH traffic on the port attributed to an SSH server. When the Kobalos backdoor communicates with an operator, there is no SSH banner (SSH-2.0-…) exchanged, neither from the client nor the server,” the researchers shared.
More technical details about the malware, IoCs and YARA rules are available in this whitepaper.