High-performance computing clusters belonging to university networks as well as servers affiliated with government agencies, endpoint security vendors, and newly discovered internet-focused internet service providers provide ‘ r the ability for attackers to execute arbitrary commands on the systems remotely.
Cybersecurity company ESET called the malicious software “Kobalos” – a nod to a “mischievous creature” of the same name from Greek mythology – for its “small code size and lots of tricks.”
“Kobalos is a generic backdrop in the sense that it contains broad commands that do not reveal the intent of the attackers,” researchers Marc-Etienne M. Léveillé and Ignacio Sanmillan said in an analysis Tuesday. “In short, Kobalos provides remote access to the file system, provides the ability to spawn terminal sessions, and allows proxy connections to other Kobalos-infected servers.”
Aside from tracing the malicious software back to attacks against a number of high-profile targets, ESET said the malicious software can target Linux, FreeBSD, Solaris, and possibly AIX and Windows machines, with code references suggesting a legacy Windows 3.11 and Windows 95. operating systems.
Kobalos infections are thought to have started in late 2019 and have since remained active throughout 2020.
The initial compromise vector used to use the malicious software and the threat actor’s ultimate objective remain unclear until now, but the presence of a trojanized OpenSSH client in one of the threatened systems points to the possibility that “credible theft could be one of the ways Kobalos propagates.”
No other malicious software artefacts were found on the systems, and no evidence was found that could possibly reveal the intent of the attackers.
“We have not found any clues as to whether they are stealing confidential information, chasing financial gain, or whether they are after something else,” the researchers said.
But what they did reveal is that multi-platform malicious software harbors some unusual techniques, including features that could turn any threatened server into a command and control (C&C) server for other compromised hosts without Kobalos.
That is, infected machines can be used as proxies that connect to other compromised servers, which the operators can then trigger to create new Kobalos samples that use this new C&C server to create a proxy chain containing infected servers multiple to reach their targets.
To maintain stealth, Kobalos validates connections to infected machines using a 32-byte password that is generated and then encrypted with a 512-bit RSA private key. Subsequently, a set of RC4 keys – one each for inbound and outbound traffic – is used for communication with the C&C server.
The backdoor also leverages a complex obfuscation mechanism to block forensic analysis by recurring the code to perform a wide range of subtasks.
“The many well-implemented features and network bypass techniques show that the attackers behind Kobalos are far more knowledgeable than the typical malicious software writer targeting Linux and other systems non-Windows, ”the researchers said.
“Their targets, as they are quite high profile, also show that Kobalos operators are not aiming to compromise as many systems as possible. Its small footprint and network bypass techniques may explain why it was not discovered until we do not contact victims with the results from our scan across the Internet. “