New Backdoor Targets HPCs and Steals SSH Credentials

Summary

A new backdoor, dubbed Kobalos, has been observed by ESET researchers largely targeting high-performance computers (HPC) and servers on academic and research networks. Victims also included an end-point security vendor and a large Internet Service Provider (ISP). Although the code itself is small, it is complex and capable of performing at least 37 actions, including altering compromised machines into a command and control (C2) server. It also contains obfuscation and anti-forensics techniques, and targets Unix platforms; however, some artifacts indicate that there may be variants for Windows operating systems. Additionally, the malware uses a trojanized OpenSSH client as a second stage to steal SSH client credentials, which may explain how the malware laterally moves on the network. While the initial attack vector is unknown, researchers assess it may be through known vulnerabilities, as many victims were running unpatched systems. Currently, researchers are unable to determine the malware developer’s intent due to its ambiguous commands and non-specific payload.

Recommendations

The NJCCIC recommends administrators ensure systems are patched and up to date, and enable multi-factor authentication (MFA) when connecting to SSH servers. Additional reporting can be found in the Threat Post article, and technical analysis can be found in the ESET Research White Paper. Further indicators of compromise (IOCs) can be found in this GitHub repository.