al capone
Advanced
- Joined
- 13.09.20
- Messages
- 159
- Reaction score
- 1,915
- Points
- 93
Kobalos is characterized by complex code, which is very rare for malware written under Linux.
ESET researchers told about a new malware attacking supercomputers. Experts named it Kobalos in honor of the character of ancient Greek mythology kobalos-a mischievous spirit who loves to deceive and scare people. The victims of the malware have already become a major Asian Internet service Provider and an American provider of security solutions.
Kobalos is interesting for several reasons. Its codebase is very small, but complex enough to attack Linux, BSD, and Solaris. Moreover, such complex code is very rare for malware created under Linux. According to experts, Kobalos can also be suitable for attacks on AIX and Microsoft Windows.
Together with the computer security team of the European Organization for Nuclear Research (CERN), ESET researchers found that "unique multiplatform" malware attacks computing clusters (HPC). In some cases, additional malware intercepted the server's SSH connection in order to steal the credentials that attackers used to gain access to the HPC and deploy Kobalos. The use of this infostealer partially explains how the malware spreads.
Kobalos is essentially a backdoor. Once installed on a supercomputer, it is embedded in the OpenSSH server's executable file (sshd) and runs the backdoor functionality if a corresponding call is made via a specific TCP port. There are other variants of Kobalos that are not embedded in sshd. These options either connect to a C & C server acting as an intermediary, or wait for an incoming connection on a given TCP port.
Kobalos provides its operators with remote access to file systems, allows you to run terminal sessions, and also acts as connection points to other servers infected with malware.
A unique feature of Kobalos is its ability to turn any hacked server into a C & C server with just one command. Since the IP addresses and ports of the C & C server are embedded in the executable file, malware operators can generate new Kobalos samples using this new C & C server.
The researchers were not able to determine what the goals of the malware operators are. No other malware, except for the Kobalos itself and the infostealer, was also found on the infected systems.
ESET researchers told about a new malware attacking supercomputers. Experts named it Kobalos in honor of the character of ancient Greek mythology kobalos-a mischievous spirit who loves to deceive and scare people. The victims of the malware have already become a major Asian Internet service Provider and an American provider of security solutions.
Kobalos is interesting for several reasons. Its codebase is very small, but complex enough to attack Linux, BSD, and Solaris. Moreover, such complex code is very rare for malware created under Linux. According to experts, Kobalos can also be suitable for attacks on AIX and Microsoft Windows.
Together with the computer security team of the European Organization for Nuclear Research (CERN), ESET researchers found that "unique multiplatform" malware attacks computing clusters (HPC). In some cases, additional malware intercepted the server's SSH connection in order to steal the credentials that attackers used to gain access to the HPC and deploy Kobalos. The use of this infostealer partially explains how the malware spreads.
Kobalos is essentially a backdoor. Once installed on a supercomputer, it is embedded in the OpenSSH server's executable file (sshd) and runs the backdoor functionality if a corresponding call is made via a specific TCP port. There are other variants of Kobalos that are not embedded in sshd. These options either connect to a C & C server acting as an intermediary, or wait for an incoming connection on a given TCP port.
Kobalos provides its operators with remote access to file systems, allows you to run terminal sessions, and also acts as connection points to other servers infected with malware.
A unique feature of Kobalos is its ability to turn any hacked server into a C & C server with just one command. Since the IP addresses and ports of the C & C server are embedded in the executable file, malware operators can generate new Kobalos samples using this new C & C server.
The researchers were not able to determine what the goals of the malware operators are. No other malware, except for the Kobalos itself and the infostealer, was also found on the infected systems.
