'Kobalos' Linux Malware Targets Supercomputers WorldwideReport: Malware Steals SSH Credentials From High-Performance Computers
A newly identified Linux malware variant dubbed "Kobalos" is targeting high-performance computing clusters and supercomputers running multiple operating systems, a new report by security firm ESET finds.
Kobalos functions primarily as a backdoor and is designed to steal SSH credentials - aka Secure Shell or Secure Socket Shell - a cryptographic network protocol for providing secure remote login, even over unsecured networks.
ESET notes Kobalos is "generic malware," but a highly versatile Linux strain and is equipped with a unique infrastructure - most notably, its command-and-control structure.
"The fact that any system compromised with Kobalos can be turned into a C&C server of other compromised hosts is quite unique," says Marc-Etienne M. Léveillé, a senior malware researcher with ESET and a co-author of the report. "The code for running such a server is in the malware itself. They are also using other Kobalos-infected hosts to control the backdoor."
As part of the investigation, the ESET researchers worked with the security team from the European Organization for Nuclear Research, or CERN.
ESET says that since the campaign began in 2019 and continued through 2020, the developers of Kobalos malware have compromised supercomputers and high-performance clusters belonging to academic researchers as well as private businesses and organizations. These targets include an Asian ISP, a U.S. endpoint security vendor and several privately held servers, among other victimized organizations.
"Our scans revealed more than five but less than 10 compromised servers belonging to academia networks. We know some of them are high-performance computers, but in some cases, it's unclear if these systems are part of the network or if the HPC itself is compromised," Léveillé says. "Our latest scans did not reveal new victims, however, it doesn’t mean they halted their activities. They may just have changed the configuration of the malware making it more difficult for us to fingerprint."
The malware targets a wide range of operating systems, including Linux, BSD and Solaris, and Kobalos might also have the ability to compromise supercomputers that run AIX and Windows, the report notes.
According to the ESET report, since the malware contains a broad set of commands that are defined using a single function, it is difficult to detect.
"Analyzing Kobalos isn't as trivial as most Linux malware because all of its code is held in a single function that recursively calls itself to perform subtasks," the report notes. "This makes it more challenging to analyze. Additionally, all strings are encrypted so it's more difficult to find the malicious code than when looking at the samples statically."
While it's not clear how the initial attack begins, the researchers say that once the malware compromises a supercomputer or high-performance cluster, it will embed itself within the system's OpenSSH server executable. From there, the backdoor code will activate if Kobalos receives a command over a specific TCP port.
The researchers also found variants of the Kobalos malware that can act as "middlemen" for other types of command-and-control connections. The malicious code will also turn an infected server into a command-and-control server.
"Any server compromised by Kobalos can be turned into a command-and-control server by the operators sending a single command," the report says. "As the command-and-control server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new command-and-control server."
In most systems compromised by Kobalos, the SSH client is altered to steal credentials, which could be one way the malware propagates, according to the report. Kobalos will also grant remote access to the file system of a compromised supercomputer, which then gives the attackers the ability to spawn terminal sessions and also allows proxy connections to other Kobalos-infected servers.
Other HPC Attacks
In May 2020, the University of Edinburgh in the U.K. was forced to cut off research access to its supercomputer called ARCHER after it was infected with Linux malware as part of a wider cryptomining botnet campaign. Following the incidents, victims across Canada, China, the U.S. and parts of Europe reported their high-performance computing labs had been affected by malware (see: Supercomputer Intrusions Trace to Cryptocurrency Miners).
In the same month, the security team at European Grid Infrastructure, which coordinates supercomputer research across Europe, said that its members had witnessed similar attacks.
The ESET report notes the Kobalos attacks predate these other incidents involving cryptominers and since the Linux malware functions differently, it's likely these malicious campaigns are not connected.