August14 , 2022

Attacks on Supercomputers – a New Threat That May Turn the World Upside Down


Tempest Rising gameplay trailer, release date, and more details revealed so far

At a THQ Nordic event, the future RTS games with medieval backdrops were showcased, providing players with new glimpses at the studio's previously announced ga...

MultiVersus Season 1, Morty character release date, and other details confirmed

After being postponed earlier in the month, fans of MultiVersus have been anxiously awaiting the release of season 1. The first season, along with a new playab...

First look of COD Modern Warfare 2 Farm 18 map has been revealed

Prior to the game's major unveiling in September, Infinity Ward released additional information about the multiplayer in Call of Duty: Modern Warfare. The Mode...

Top 4 things successful forex traders do

There is no shortcut to achieving success as a forex trader. They are like the ocean; as a trader, you are a mere surfer. To be a successful surfer, you will n...

Jordan Challenge returns in NBA 2K23 with 15 unique playable moments

2K Games has just released information on the reintroduction of one of its most awaited features. The Jordan Challenge, which served as the focal point of a se...
- Advertisement -

ESET researchers have revealed detailed info about a new virus named after the Greek mythology spirit Kobalos. After thorough analysis and data search, ESET stated that Kobalos strikes high-performance computers (HPC) on academic and research networks.

Also, this malware targets web servers with high-functionality clusters and with a lot of encrypted information on them. The malicious code grants remote access to the system as well as creates terminal sessions with other Kobalos-infected servers.

According to the CERN Computer Security Team, the malware, and the techniques it applies in these attacks differ from all known viruses. The main threat to security is the inability of most admins to detect and delete malware due to the obfuscated code. However, after a thorough analysis of Kobalos, cybersecurity experts revealed that it is possible to determine if a system is attacked by Kobalos by connecting to the SSH server using a specific TCP source port.

Stolen Credentials

Also Read

The /usr/bin/ssh file is being replaced with a modified executable that collects usernames, passwords, and target hostnames, and later writes this data to an encrypted file. Hackers later use stolen credentials to install Kobalos on the targeted servers. To avoid being hacked, admins need to set multi-factor authentication (MFA) for accessing SSH servers.

Kobalos algorithm

Kobalos has a built-in code for launching and setting up a C&C server. The virus is a semi-generic backdoor. It uses special techniques in order not to reveal the hackers or their intentions. Kobalos grants remote access to the system enabling attackers to spawn terminal sessions. The malware also can establish connections via proxy servers to all the infected servers.

Connection methods

Kobalos is integrated into the OpenSSH server executable and launches the malicious code if the connection arrives from a specific TCP port.  But it has and may apply other variations of connectivity not involving the built-in sshd code. The most common tactics used by Kobalos are as follows:

  • Connect to a C&C server that will act as a conductor.
  •  Inbound connection on a given TCP port.

When infected by Kobalos, any server can serve as a Command & Control server and at the same time as a data storage. Even if initially IPs and proxies are hardcoded and encrypted, Kobalos operators can create and generate new C&C servers that use data of newly infected machines.

Sophisticated credential-stealing technique

As was stated by the ESET experts, anyone who uses the SSH client on a compromised machine will have their credentials stolen. This method of personal data stealing is different from any other malicious OpenSSH clients known before. The hackers gradually get a full database of all people registered.

The sophistication of this method lies in an inability to track the IPs and servers from where the attacks are coming. There is nothing similar to earlier ways of credential stealing. For example, strings are left unencrypted, and stolen usernames and passwords are simply written to a disk file.

Kobalos is written for Linux, but its slightly modified version may infect Mac systems too. Most of its code is created using a single-function coding algorithm, and as a result, the virus can perform subtasks and create an interconnected chain-code environment. Additionally, all strings and links are encrypted, which makes it more challenging to cure and delete.

Using the backdoor requires a private 512-bit RSA key and a 32-byte-long password. Once authenticated, RC4 keys are exchanged, and the rest of the communication is encrypted by the agile chain algorithm. Also, it launches connections in a chaotic manner.

How to detect the malware?

On the network level, it is possible to identify the Kobalos malware by separating non-SSH traffic on the port ascribed to an SSH server. Whenever this virus communicates with an operator, no SSH banner exchange occurs, neither from the server nor the client.

Again, it is strongly advised to use multi-factor authentication for connecting to SSH servers. MFA helps mitigate the threat since in most cases this malware uses stolen credentials to propagate to new servers and systems.

Final thoughts

The intentions of Kobalos operators are still a mystery. No other virus strain, except for the SSH private data stealer, was found by system admins on the infected machines. The protocol Kobalos uses is tightly contained in a single functioning code. This virus is really a threat that is hard to detect and kill.

High-performance computers or simply supercomputers should be thoroughly protected. New studies reveal more and more threats that may cause serious problems. Let us hope that researchers will create the right protection from the Kobalos. All your knowledge and comments on the subject are welcome. Secure your data with constant software updates and by using multi-factor authentication.

Stay updated

Subscribe to our newsletter and never miss an update on the latest tech, gaming, startup, how to guide, deals and more.

Grow Your Business

Place your brand in front of tech-savvy audience. Partner with us to build brand awareness, increase website traffic, generate qualified leads, and grow your business.

- Advertisement -
David Balaban
David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs and projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.


- Advertisement -
- Advertisement -