Kobalos is a unique, multiplatform malware that has been identified as a significant threat to supercomputers worldwide. Named after a small, mischievous creature from Greek mythology due to its tiny code size and many tricks, Kobalos infiltrates systems by replacing the SSH client on compromised systems to steal credentials. The malware has been designed to be elusive, with its code flattened into a single function using a custom packer and its strings encrypted. In addition to this, it uses an existing open port to reach its target, making it harder to detect. It was revealed in a paper titled “A wild Kobalos appears: Tricksy Linux malware goes after HPCs,” which describes the inner workings of this threat.
Kobalos employs several sophisticated techniques to ensure its persistence and evade detection. Its authentication and key exchange are performed using RSA-512 asymmetric cryptography, while post-authentication communication is encrypted with RC4 symmetric cryptography. This malware can also serve as a proxy to other compromised systems, further complicating mitigation efforts. Notably, when files are replaced by Kobalos operators, timestamps are forged, and no command history related to the attack is found on infected machines. Additionally, Kobalos may embed its malicious payload in the OpenSSH server and replace the legitimate file (sshd), ensuring its continued presence within the system.
The discovery of Kobalos comes amidst a series of security incidents involving High-Performance Computing (HPC) clusters over the past year. While these events may not be directly linked to Kobalos, they underscore the escalating threats facing these critical infrastructures. To counter such sophisticated threats, organizations need to adopt robust security measures, including regularly updating software, monitoring network traffic for unusual patterns, and educating users about the risks of suspicious downloads, emails, or websites.