ESET finds tiny yet complex Linux threat attacking supercomputers, Kobalos

ESET researchers have discovered Kobalos, a malware that has been attacking supercomputers – high performance computer (HPC) clusters. ESET has worked with the CERN Computer Security Team and other organizations involved in mitigating attacks on these scientific research networks. Among other targets was a large Asian ISP, a North American endpoint security vendor as well as several privately held servers.

ESET researchers have reverse engineered this small, yet complex malware that is portable to many operating systems including Linux, BSD, Solaris, and possibly AIX and Windows. “We have named this malware Kobalos for its tiny code size and many tricks; in Greek mythology, a kobalos is a small, mischievous creature,” explains Marc-Etienne Léveillé, who investigated Kobalos. “It has to be said that this level of sophistication is only rarely seen in Linux malware,” adds Léveillé.

Kobalos is a backdoor containing broad commands that don’t reveal the intent of the attackers. “In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers,” says Léveillé.

Any server compromised by Kobalos can be turned into a Command & Control (C&C) server by the operators sending a single command. As the C&C server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C&C server. In addition, in most systems compromised by Kobalos, the client for secure communication (SSH) is compromised to steal credentials.