ESET: Kobalos is a new malware that targets also high performance computing (HPC) clusters. It is embedded in the sshd and triggers the backdoor code if the connection comes from a specific TCP source port

Kobalos is a new malware that targets also high performance computing (HPC) clusters. It has been discovered by ESET cybersecurity experts. It is a backdoor, which grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other infected servers. There are multiple ways for the operators to reach them. The most used see Kobalos embedded in the OpenSSH server executable (sshd) and will trigger the backdoor code if the connection is coming from a specific TCP source port. There are other stand-alone variants that are not embedded in sshd. These either connect to a C&C server that will act as a middleman, or wait for an inbound connection on a given TCP port. Furthermore, the code for running C&C server is in Kobalos itself. Any compromised server can be turned into a C&C one by cybercrime sending a single command.

The cybersecurity experts: Kobalos is also a credential stealer, that gives it a strong propagation ability

According to the cybersecurity experts, in most systems compromised by Kobalos, the SSH client is compromised to steal credentials. The sophistication of the credential stealer is not the same as the malware itself: there was no effort to obfuscate early variants of the credential stealer. Moreover, the presence of this credential stealer may partially answer how the malware propagates. Anyone using the SSH client of a compromised machine will have their credentials captured. Those can then be used to install Kobalos on the newly discovered server later. Furthermore, all of the malware code is held in a single function that recursively calls itself to perform subtasks. Additionally, all strings are encrypted so it’s more difficult to find the malicious code than when looking at the samples statically. Usage of the backdoor requires a private 512-bit RSA key and a 32-byte-long password. Once authenticated, RC4 keys are exchanged and the rest of the communication is encrypted with them.