The sophisticated backdoor steals SSH credentials for servers in academic and scientific high-performance computing clusters.
A tiny-sized malware that packs a big punch has been targeting supercomputers, especially those used in academia and scientific enterprises. It allows initial access for a variety of follow-on attacks, including credential theft – and potentially data exfiltration or cryptomining.
That’s according to ESET researchers, who discovered the Kobalos backdoor in recent months. The code grants remote access to the file system, allows attackers to create terminal sessions and allows proxying connections to other Kobalos-infected servers.
“Kobalos malware contains generic commands to read from and write to the file system and spawn a terminal to execute arbitrary commands,” they explained. “Unfortunately, it doesn’t contain any specific payload that could indicate the intentions of its authors. The operators likely open a shell through the terminal and perform whatever commands they need to.”
Kobalos, Mischievous Sprite
Kobalos gets its name from Greek mythology. The kobaloi were companions of Dionysus, a band of mischievous sprites known for tricking and frightening mortals. ESET researchers adopted the name for the malware due to “for its tiny code size and many tricks,” they said in an analysis issued Tuesday.
The backdoor is multiplatform and capable of attacking Linux, BSD, Solaris, and possibly AIX and Windows machines, researchers said (they found strings related to Windows 3.11 and Windows 95, which are 25-year-old operating systems).
So far, it’s been seen going after high performance computing (HPC) clusters; but also was seen infecting a large Asian ISP, a North American endpoint security vendor and a handful of personal servers.
ESET identified Kobalos victims by scanning for connections to SSH servers that use a specific TCP source port known to be abused by the malware.
“There are multiple ways for the operators to reach a Kobalos-infected machine,” according to ESET. “The method we’ve seen the most is where Kobalos is embedded in the OpenSSH server executable (sshd) and will trigger the backdoor code if the connection is coming from a specific TCP source port.”
However, there are other standalone variants that are not embedded in sshd; these either connect to a command-and-control server (C2) that will act as a middleman, or it will wait for an inbound connection on a given TCP port, the firm noted.
ESET researchers are unsure how the infected systems were compromised to gain administrative access to install the Kobalos backdoor, but an obvious possible entry point could be exploitation of a known vulnerability.
“Some of the compromised machines ran old, unsupported or unpatched operating systems and software,” they explained. “While the use of an undisclosed vulnerability isn’t impossible, a known exploit is more likely in this situation.”
Kobalos also is likely using stolen credentials – ESET observed that in systems compromised by Kobalos, any SSH client in use has credentials stolen using a second-stage malware. This SSH credential stealer took the form of a trojanized OpenSSH client.
“The /usr/bin/ssh file was replaced with a modified executable that recorded username, password and target hostname, and wrote them to an encrypted file,” ESET researchers explained. Those stolen credentials can simply be used by the attackers to install Kobalos on the newly discovered server later.
Thus, to avoid becoming a victim, administrators should make sure patches are up-to-date and they should set up two-factor authentication (2FA) for connecting to SSH servers, researchers noted: “Kobalos is another case where 2FA could have mitigated the threat, since the use of stolen credentials seems to be one of the ways it is able to propagate to different systems.”
A Self-Contained Malware Ecosystem
The C2 server approach in Kobalos is notable, according to the analysis – because it has the C2 code embedded within itself.
“Any server compromised by Kobalos can be turned into a C2 server by the operators sending a single command,” researchers explained. “As the C2 server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C2 server.”
Kobalos also can be used as a proxy to connect other infected servers.
“It is not a generic TCP proxy; it expects communication to be encapsulated in packets specific to this threat. [Also] a command can be sent to the proxy to ‘switch’ the connection to a new TCP port. Proxies can be chained, which means the operators can use multiple Kobalos-compromised machines to reach their targets.”
Interestingly, of the Kobalos code is tightly contained in a single function, which “recursively calls itself to perform subtasks,” according to the analysis.
This compact architecture combines with other malware attributes to defy analysis. For instance, ESET pointed out that Kobalos’ usage of an existing open port makes the threat harder to find. And, all strings are encrypted, “so it’s more difficult to find the malicious code than when looking at the samples statically,” the report noted.
To that end, using the backdoor requires a private 512-bit RSA key and a 32-byte-long password. Once both are validated, Kobalos generates and encrypts two 16-byte keys with the RSA-512 public key and sends them to the attackers. These two keys are used to RC4 encrypt subsequent inbound and outbound traffic.
Overall, the Kobalos authors are clearly advanced attackers, ESET surmised.
“Numerous well-implemented features and the network-evasion techniques show the attackers behind Kobalos are much more knowledgeable than the typical malware author targeting Linux and other non-Windows systems,” according to the report. Its small footprint and network evasion techniques may explain why it went undetected until we approached victims with the results of our internet-wide scan.”
SSH Client Credential Theft
The credential stealer mentioned earlier is unique, researchers said, and unlike any of the malicious OpenSSH clients the team has analyzed in the past.
Different variants were found, including Linux and FreeBSD instances. In all cases, the main capabilities consist of stealing hostname, port, username and password used to establish an SSH connection from the compromised host, which are saved in an encrypted file.
“All samples found use the same simple cipher for the contents of the files; it simply adds 123 to each byte of data to be saved,” researchers explained. “For the FreeBSD version, the same format and cipher is applied. However, there are some small implementation differences, such as encrypting the file path in the malware with a single-byte XOR.”
The location of the file where the stolen SSH credentials are saved varies depending on the variant, but all samples create a file under /var/run with a legitimate-looking “.pid” extension.
Newer versions of the credential-stealer contain an encrypted configuration and adds the functionality to exfiltrate credentials over UDP to a remote host specified in the configuration.
“Exfiltrating credentials over UDP is something Ebury and other SSH credential stealers such as Bonadan, Kessel and Chandrila have been doing,” the analysis read. “The choice of UDP could be to bypass a firewall and avoid creating TCP network flow to potentially untrusted hosts.”
The malware’s configuration includes the hostname of the victim and a specified file path for exfiltration, so that the cyberattackers can track the origin of the credentials. “This also means that each compromised server receives a unique sample of the credential stealer,” researchers added.
Interestingly, the code lacks the sophistication of Kobalos itself, according to ESET.
“For example, strings were left unencrypted, and stolen usernames and passwords are simply written to a file on disk,” researchers wrote. “However, we found newer variants that contain some obfuscation and the ability to exfiltrate credentials over the network.”
Attacks on HPCs have become more common in the last 12 months.
An advisory from the European Grid Infrastructure (EGI) CSIRT last year warned that supercomputing clusters in Canada, China and Poland had been compromised to deploy cryptocurrency miners.
And meanwhile, the U.K. supercomputer known as ARCHER was compromised in May last year to steal SSH credentials.
It’s unclear if Kobalos was working its mischief in these attacks; the CERN Computer Security Team responsible for mitigating attacks on scientific research networks did say that Kobalos’ existence predates the incidents, but ESET found that the techniques described in the cryptomining attacks in particular were different from the Kobalos efforts.
Nonetheless, Kobalos has a clear interest in supercomputing, and these high-profile targets, show that the objective of the Kobalos operators isn’t to compromise as many systems as possible, researchers noted.
“It is not clear why the HPC community is overly represented among the victims of these attacks,” according to the report. “HPC centers are obviously interesting targets but typically less easily accessible than other academic servers.”
That said, “CERN and other incident response teams [have] observed a number of legacy designs and suboptimal security practices that played a key role in enabling the attackers to spread their attacks. Additionally, most HPC victims were poorly prepared for forensics, in particular with regard to traceability.”
The credential-stealing aspect of Kobalos could also explain why many academic networks were compromised, they added: “If one of those system’s SSH clients was used by students or researchers from multiple universities, it could have leaked credentials to all these third-party systems.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!