Kobalos

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Kobalos is a unique, multiplatform malware that has been identified as a significant threat to supercomputers worldwide. Named after a small, mischievous creature from Greek mythology due to its tiny code size and many tricks, Kobalos infiltrates systems by replacing the SSH client on compromised systems to steal credentials. The malware has been designed to be elusive, with its code flattened into a single function using a custom packer and its strings encrypted. In addition to this, it uses an existing open port to reach its target, making it harder to detect. It was revealed in a paper titled “A wild Kobalos appears: Tricksy Linux malware goes after HPCs,” which describes the inner workings of this threat. Kobalos employs several sophisticated techniques to ensure its persistence and evade detection. Its authentication and key exchange are performed using RSA-512 asymmetric cryptography, while post-authentication communication is encrypted with RC4 symmetric cryptography. This malware can also serve as a proxy to other compromised systems, further complicating mitigation efforts. Notably, when files are replaced by Kobalos operators, timestamps are forged, and no command history related to the attack is found on infected machines. Additionally, Kobalos may embed its malicious payload in the OpenSSH server and replace the legitimate file (sshd), ensuring its continued presence within the system. The discovery of Kobalos comes amidst a series of security incidents involving High-Performance Computing (HPC) clusters over the past year. While these events may not be directly linked to Kobalos, they underscore the escalating threats facing these critical infrastructures. To counter such sophisticated threats, organizations need to adopt robust security measures, including regularly updating software, monitoring network traffic for unusual patterns, and educating users about the risks of suspicious downloads, emails, or websites.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Kobalos Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Kobalos – A complex Linux threat to high performance computing infrastructure | WeLiveSecurity
CERT-EU
a year ago
Cybersecurity threatscape: year 2021 in review