High-performance computing clusters belonging to university networks as well as servers associated with government agencies, endpoint security vendors, and internet service providers have been targeted by a newly discovered backdoor that gives attackers the ability to execute arbitrary commands on the systems remotely.
“Kobalos is a generic backdoor in the sense that it contains broad commands that don’t reveal the intent of the attackers,” researchers Marc-Etienne M. Léveillé and Ignacio Sanmillan said in a Tuesday analysis. “In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers.”
Besides tracing the malware back to attacks against a number of high-profile targets, ESET said the malware is capable of taking aim at Linux, FreeBSD, Solaris, and possibly AIX and Windows machines, with code references hinting at Windows 3.11 and Windows 95 legacy operating systems.
Kobalos infections are believed to have started in late 2019 and have since continued to remain active throughout 2020.
The initial compromise vector used to deploy the malware and the ultimate objective of the threat actor remains unclear as yet, but the presence of a trojanized OpenSSH client in one of the compromised systems alludes to the possibility that “credential stealing could be one of the ways Kobalos propagates.”
No other malware artifacts were found on the systems, nor have there been any evidence that could potentially reveal the attackers’ intent.
“We have not found any clues to indicate whether they steal confidential information, pursue monetary gain, or are after something else,” the researchers said.
But what they did uncover shows the multi-platform malware harbors some unusual techniques, including features that could turn any compromised server into a command-and-control (C&C) server for other hosts compromised by Kobalos.
In other words, infected machines can be used as proxies that connect to other compromised servers, which can then be leveraged by the operators to create new Kobalos samples that use this new C&C server to create a proxy chain comprising of multiple infected servers to reach their targets.
To maintain stealth, Kobalos authenticates connections with infected machines using a 32-byte password that’s generated and then encrypted with a 512-bit RSA private key. Subsequently, a set of RC4 keys are used — one each for inbound traffic and outbound traffic — for communications with the C&C server.
The backdoor also leverages a complex obfuscation mechanism to thwart forensic analysis by recursively calling the code to perform a wide range of subtasks.
“The numerous well-implemented features and the network evasion techniques show the attackers behind Kobalos are much more knowledgeable than the typical malware author targeting Linux and other non-Windows systems,” the researchers said.
“Their targets, being quite high-profile, also show that the objective of the Kobalos operators isn’t to compromise as many systems as possible. Its small footprint and network evasion techniques may explain why it went undetected until we approached victims with the results of our Internet-wide scan.”