Researchers at ESET talked about a new malware attacking supercomputers. Experts named it Kobalos after the character of ancient Greek mythology, Kobalos, a mischievous spirit who adores deceiving and frightening people. A large Asian Internet provider and an American provider of security solutions have already become victims of the malware.
Kobalos is interesting for several reasons. Its codebase is very small but complex enough to attack Linux, BSD, and Solaris. Moreover, such complex code is very rare for malware written for Linux. According to experts, Kobalos may also be suitable for attacks on AIX and Microsoft Windows.
Together with the computer security team of the European Organization for Nuclear Research (CERN), ESET researchers have determined that "unique multiplatform" malware attacks computing clusters (HPC). In some cases, additional malware intercepted the server's SSH connection in order to steal the credentials that attackers used to gain access to HPC and deploy Kobalos. The use of this info-stealer partly explains how the malware spreads.
Kobalos is essentially a backdoor. Once installed on a supercomputer, it is embedded in the executable file (sshd) of the OpenSSH server and launches the backdoor functionality if a call is made through a specific TCP port. There are other variants of Kobalos that do not embed in sshd. These options either connect to a C&C server acting as an intermediary, or wait for an incoming connection on a given TCP port.
Kobalos gives its operators remote access to file systems, allows terminal sessions to be launched, and also acts as points of connection to other servers infected with malware.
A unique feature of Kobalos is its ability to turn any compromised server into a C&C server with just one command. Since the IP addresses and ports of the C&C server are hardcoded into the executable, malware operators can generate new Kobalos samples using this new C&C server.
What goals the malware operators pursue, the researchers failed to establish. No other malware, except for Kobalos itself and the info-stealer, was also found on infected systems.