A small but complex variation of malware is targeted at significant computer users worldwide.
Reverse engineered by ESET and described in a blog post on Tuesday, the malware was traced in attacks on significant users using a large Asian Internet Service Provider (ISP), a US security vendor, and many privately-held servers, among other purposes.
The cybersecurity team has called malware Kobalos in honor of kobalos, and a small Greek mythology creature believed to cause corruption.
Kobalos is rare for many reasons. The malware codebase is small but complex enough to affect the operating systems of Linux, BSD, and Solaris. ESET suspects it may be linked to attacks on AIX devices and Microsoft Windows, too.
“It should be noted that this level of technology is rarely seen in Linux malware,” notes cybersecurity researcher Marc-Etienne Léveillé.
While working with the CERN Computer Security Team, ESET noticed that the “unique, multiplatform” malware targeted high-level computer (HPC) clusters.
In some cases of infection, it appears that the ‘sidekick’ malware hijacks SSH server connections to steal the credentials used to gain access to HPC clusters and deploy Kabobos.
“The presence of this thief can in part answer to how Kabalos spreads,” the group said.
Koobos is the back door. Once the malware has reached the main computer, the code hides in a useful OpenSSH server and will create a back door if the call is made through a specific TCP source port.
Alternatives serve as intermediaries for traditional command-and-control (C2) server connections.
Kabobos gives its operators remote access to file systems, allows them to reproduce final sessions, and acts as a connection point for other malware-infected servers.
ESET claims that the unique feature of Kabelos is its ability to convert any damaged server into C2 in a single command.
“As C2 server IP addresses and ports are encoded in the executable, operators can then produce new Kobalos samples using this new C2 server,” the researchers noted.
The malware was a challenge to process as all of its code was traced to “one self-proclaimed” retaliatory function, “ESET said, adding that all cables were encrypted as an additional obstacle to engineering.
From now on, more research needs to be done on malware – and who can be responsible for its development.
“We have not been able to determine the motives of the workers in Kabalos,” ESET said. “No other malware, other than stolen SSH, has been detected by sophisticated system administrators.
We hope that the information we present today in our new book will help raise awareness of this threat and put its work under a microscope.”