Attacks On Supercomputers – a New Threat That May Turn the World Upside Down

Tidio Live Chat Software - Add Tidio live chat software to your website in minutes. Contact visitors and turn them into happy customers. Enhance their experience and boost your sales. Get it for Free

ESET researchers have revealed detailed info about a new virus named after the Greek mythology spirit Kobalos. After thorough analysis and data search, ESET stated that Kobalos strikes high-performance computers (HPC) on academic and research networks.

Also, this malware targets web servers with high-functionality clusters and a lot of encrypted information. The malicious code grants remote access to the system as well as creates terminal sessions with other Kobalos-infected servers.

Also Read

According to the CERN Computer Security Team, the malware, and the techniques it applies in these attacks differ from all known viruses. The main threat to security is the inability of most admins to detect and delete malware due to the obfuscated code. However, after a thorough analysis of Kobalos, cybersecurity experts revealed that it is possible to determine if a system is attacked by Kobalos by connecting to the SSH server using a specific TCP source port.

Stolen Credentials

Elegant Themes - The most popular WordPress theme in the world and the ultimate WordPress Page Builder. Get a 30-day money-back guarantee. Get it for Free

The /usr/bin/ssh file is being replaced with a modified executable that collects usernames, passwords, and target hostnames, and later writes this data to an encrypted file. Hackers later use stolen credentials to install Kobalos on the targeted servers. To avoid being hacked, admins need to set multi-factor authentication (MFA) for accessing SSH servers.

Kobalos algorithm

Kobalos has a built-in code for launching and setting up a C&C server. The virus is a semi-generic backdoor. It uses special techniques in order not to reveal the hackers or their intentions. Kobalos grants remote access to the system enabling attackers to spawn terminal sessions. The malware also can establish connections via proxy servers to all the infected servers.

Connection methods

Kobalos is integrated into the OpenSSH server executable and launches the malicious code if the connection arrives from a specific TCP port.  But it has and may apply other variations of connectivity not involving the built-in sshd code. The most common tactics used by Kobalos are as follows:

  • Connect to a C&C server that will act as a conductor.
  •  Inbound connection on a given TCP port.

When infected by Kobalos, any server can serve as a Command & Control server and at the same time as a data storage. Even if IPs and proxies are initially hardcoded and encrypted, Kobalos operators can create and generate new C&C servers that use data of newly infected machines.

Sophisticated credential-stealing technique

As was stated by the ESET experts, anyone who uses the SSH client on a compromised machine will have their credentials stolen. This method of stealing personal data is different from any other malicious OpenSSH clients. The hackers gradually get a full database of all people registered.

The sophistication of this method lies in an inability to track the IPs and servers from where the attacks are coming. There is nothing similar to earlier ways of credential stealing. For example, strings are left unencrypted, and stolen usernames and passwords are simply written to a disk file.

Kobalos is written for Linux, but its slightly modified version may infect Mac systems too. Most of its code is created using a single-function coding algorithm, so the virus can perform subtasks and create an interconnected chain-code environment. Additionally, all strings and links are encrypted, which makes it more challenging to cure and delete.

Using the backdoor requires a private 512-bit RSA key and a 32-byte-long password. Once authenticated, RC4 keys are exchanged, and the rest of the communication is encrypted by the agile chain algorithm. Also, it launches connections in a chaotic manner.

How to detect the malware?

On the network level, it is possible to identify the Kobalos malware by separating non-SSH traffic on the port ascribed to an SSH server. Whenever this virus communicates with an operator, no SSH banner exchange occurs, neither from the server nor the client.

Again, it is strongly advised to use multi-factor authentication for connecting to SSH servers. MFA helps mitigate the threat since in most cases this malware uses stolen credentials to propagate to new servers and systems.

Final thoughts

The intentions of Kobalos operators are still a mystery. No other virus strain, except for the SSH private data stealer, was found by system admins on the infected machines. The protocol Kobalos uses is tightly contained in a single functioning code. This virus is really a threat that is hard to detect and kill.

High-performance computers or simply supercomputers should be thoroughly protected. New studies reveal more and more threats that may cause serious problems. Let us hope that researchers will create the right protection from the Kobalos. All your knowledge and comments on the subject are welcome. Secure your data with constant software updates and by using multi-factor authentication.

Save up to 60% on OptinMonster

Stay updated

Subscribe to our newsletter and never miss an update on the latest tech, gaming, startup, how to guide, deals and more.

Grow Your Business

Place your brand in front of tech-savvy audience. Partner with us to build brand awareness, increase website traffic, generate qualified leads, and grow your business.

- Advertisement -
David Balaban
David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs and projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.

Grow Your Business

Get these business solutions, tools and services to help your business grow.

Elementor -Join 5,000,000+ Professionals Who Build Better Sites With Elementor. Build your website with 100% visual design that loads faster and speeds up the process of building them.

WP Rocket

WP Rocket - Speed up your website with the most powerful caching plugin in the world. The website speed increase means better SEO ranking, user experience, and conversation. It’s a fact that Google loves a fast site.


Kinsta - If you are looking for WordPress managed hosting, Kinsta is in the leading front. Kinsta provides WordPress hosting for a small or large business that helps take care of all your needs regarding your website with cutting-edge technology.


OptinMonster - Instantly boost leads and grow revenue with the #1 most powerful conversion optimization toolkit in the world. 700,000+ websites are using OptinMonster to turn their traffic into leads, subscribers, and sales.


- Advertisement -