Min menu


Kobalos .. Malicious software targeting supercomputers


 A small and complex type of malware targets giant computers around the world and ESET's cybersecurity team named the malicious software kobalos.

The malicious software targeted the giant computers used by a large Asian Internet service provider ISP, a U.S. endpoint security vendor, and a number of private servers, among other targets.

Kobalos is unusual for a number of reasons, as the malicious software base is small but complex enough to affect Linux, BSD, and Solaris operating systems.

Cybersecurity firm ESET suspects that it may be compatible with attacks against IBM AIX and Windows devices as well.

"It must be said that this level of sophistication rarely appears in Linux malware," said Marc-Etienne Léveillé, a cybersecurity researcher.

While working with CERN's computer security team, ESET realized that unique, multi-platform malicious software targeted high-performance HPC sets.

In some cases, the malicious software appears to hijack SSH server connections to steal data that is then used to access high-performance HPC and Kobalos computer sets and kobalos deployment.

Kobalos is essentially a back door, and after reaching the giant computer, the code hides in the executable OpenSSH server.

This triggers the back door if a call is made through a specific TCP source port, and other variables act as intermediaries for traditional C2 command and control server communications.

 Kobalos gives its operators remote access to file systems, allows them to create terminal sessions, and also acts as contact points for other servers infected with malicious software.

ESET says that one of the unique aspects of Kobalos software is its ability to convert any server that has been hacked into C2 through a single order.

Malicious software was a challenge for analysis as all of its code is kept in a single function that frequently calls itself to perform subtasks, and all strings are encrypted as an additional barrier to reverse geometry.

"We have not been able to determine the intentions of Kobalos operators, and system officials across the hacked devices have not found any other malware, except for the SSH credential theft tool," ESET said.