ESET researchers have revealed detailed info about a new virus named after the Greek mythology spirit Kobalos. After thorough analysis and data search, ESET stated that Kobalos strikes high-performance computers (HPC) on academic and research networks.
Also, this malware targets web servers with high-functionality clusters and a lot of encrypted information. The malicious code grants remote access to the system as well as creates terminal sessions with other Kobalos-infected servers.
According to the CERN Computer Security Team, the malware, and the techniques it applies in these attacks differ from all known viruses. The main threat to security is the inability of most admins to detect and delete malware due to the obfuscated code. However, after a thorough analysis of Kobalos, cybersecurity experts revealed that it is possible to determine if a system is attacked by Kobalos by connecting to the SSH server using a specific TCP source port.
Table of Contents
The /usr/bin/ssh file is being replaced with a modified executable that collects usernames, passwords, and target hostnames, and later writes this data to an encrypted file. Hackers later use stolen credentials to install Kobalos on the targeted servers. To avoid being hacked, admins need to set multi-factor authentication (MFA) for accessing SSH servers.
Kobalos has a built-in code for launching and setting up a C&C server. The virus is a semi-generic backdoor. It uses special techniques in order not to reveal the hackers or their intentions. Kobalos grants remote access to the system enabling attackers to spawn terminal sessions. The malware also can establish connections via proxy servers to all the infected servers.
Kobalos is integrated into the OpenSSH server executable and launches the malicious code if the connection arrives from a specific TCP port. But it has and may apply other variations of connectivity not involving the built-in sshd code. The most common tactics used by Kobalos are as follows:
- Connect to a C&C server that will act as a conductor.
- Inbound connection on a given TCP port.
When infected by Kobalos, any server can serve as a Command & Control server and at the same time as a data storage. Even if IPs and proxies are initially hardcoded and encrypted, Kobalos operators can create and generate new C&C servers that use data of newly infected machines.
Sophisticated credential-stealing technique
As was stated by the ESET experts, anyone who uses the SSH client on a compromised machine will have their credentials stolen. This method of stealing personal data is different from any other malicious OpenSSH clients. The hackers gradually get a full database of all people registered.
The sophistication of this method lies in an inability to track the IPs and servers from where the attacks are coming. There is nothing similar to earlier ways of credential stealing. For example, strings are left unencrypted, and stolen usernames and passwords are simply written to a disk file.
Kobalos is written for Linux, but its slightly modified version may infect Mac systems too. Most of its code is created using a single-function coding algorithm, so the virus can perform subtasks and create an interconnected chain-code environment. Additionally, all strings and links are encrypted, which makes it more challenging to cure and delete.
Using the backdoor requires a private 512-bit RSA key and a 32-byte-long password. Once authenticated, RC4 keys are exchanged, and the rest of the communication is encrypted by the agile chain algorithm. Also, it launches connections in a chaotic manner.
How to detect the malware?
On the network level, it is possible to identify the Kobalos malware by separating non-SSH traffic on the port ascribed to an SSH server. Whenever this virus communicates with an operator, no SSH banner exchange occurs, neither from the server nor the client.
Again, it is strongly advised to use multi-factor authentication for connecting to SSH servers. MFA helps mitigate the threat since in most cases this malware uses stolen credentials to propagate to new servers and systems.
The intentions of Kobalos operators are still a mystery. No other virus strain, except for the SSH private data stealer, was found by system admins on the infected machines. The protocol Kobalos uses is tightly contained in a single functioning code. This virus is really a threat that is hard to detect and kill.
High-performance computers or simply supercomputers should be thoroughly protected. New studies reveal more and more threats that may cause serious problems. Let us hope that researchers will create the right protection from the Kobalos. All your knowledge and comments on the subject are welcome. Secure your data with constant software updates and by using multi-factor authentication.