Kobalos Malware Threat Intel Advisory

###### Advisory Malware Advisory
###### Type Credential Stealer, Backdoor
###### Name Kobalos Malware
###### Affected Industries IT & ITES, Government services

Kobalos is a sophisticated Linux malware that has a small, yet complex codebase. In January 2021, ESET Researchers discovered this malware actively targeting high-performing computers across multiple organizations. Although the malware’s codebase is tiny it is enough to attack Linux, BSD, Solaris and probably other operating systems as well.

Execution

Kobalos was detected targeting supercomputer clusters in Poland, Canada and China. Kobalos operators deploy a different malware to hijack SSH server connections and steal credentials. Followed by which, the stolen credentials are used to penetrate the computer clusters to mobilize Kobalos. It works as a backdoor and abuses specific TCP source ports.

Kobalos allows attackers to access the file system remotely, generate terminal sessions, etc. One of the unique features of this malware is that it can turn a compromised server into a C2 server with a single command. Once the malware is dropped on a supercomputer, the code is hidden in an OpenSSH server executable and Kobalos listens to a specific TCP source port which then triggers the backdoor. The other Kobalos variants act as middlemen for traditional command-and-control (C2) server connections.

Kobalos features and ways to access them

Kobalos code is held in a single function that periodically calls itself to perform subtasks making it harder for reverse engineering. The backdoor requires a private 512-bit RSA key and a 32-byte-long password to be executed. Once validated RC4 keys are exchanged and further communication is encrypted with them.

image

Impact

Business Impact
  1. Financial loss to the organization if its operations are interrupted
  2. Loss of brand reputation
  3. Compromised PII leads to social engineering attacks
Technical Impact

Creates a backdoor which allows access to the user’s device. Through which the attacker will be able to modify files or launch the malicious software.

Indicators of Compromise

SHA1
  1. 1dd0edc5744d63a731db8c3b42efbd09d91fed78
  2. 325f24e8f5d56db43d6914d9234c08c888cdae50
  3. 479f470e83f9a5b66363fba5547fdfcf727949da
  4. 659cbdf9288137937bb71146b6f722ffcda1c5fe
  5. 6616de799b5105ee2eb83bbe25c7f4433420dff7
  6. a4050a8171b0fa3ae9031e0f8b7272facf04a3aa
  7. affa12cc94578d63a8b178ae19f6601d5c8bb224
  8. c1f530d3c189b9a74dbe02cfeb29f38be8ca41ba
  9. e094dd02cc954b6104791925e0d1880782b046cf
  10. fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe
SHA256
  1. 13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a
  2. 29e2f15a4a6275f43d86cf613c2934171aa5be187da7fdaa99a006245890de1f
  3. 4d610283c93904d984a42269aef65c2cab89f4a127d9c229a700e6aaf9d7000e
  4. 6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a
  5. 73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58
  6. 75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45
  7. 9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74
  8. d51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983
  9. dd1b3cd0042d4c090bc72099f30e4b76d5f2772f9f9f95176f2c59bc2ac30aa8
  10. f8c931767bc0ab951b72ab691163e6d1fc3c50e4ceee5277858d3e77a0c02e92

Mitigation

  1. Use updated antivirus software that detects and stops malware infections
  2. Apply critical patches to the system and application
  3. Use strong passwords and enable 2FA over logins
  4. Check the privileges and permission allotted to the user
  5. Make it easy for users to report suspicious behavior
  6. Back-up data regularly
1 Like