Kobalos, a malware that steals SSH credentials on Linux, BSD and Solaris

In a recently published report, "ESET" security researchers analyzed a malware It was primarily aimed at high performance computers (HPC), university and research network servers.

Using reverse engineering, discovered that a new backdoor targets supercomputers around the world, often stealing credentials for secure network connections using an infected version of the OpenSSH software.

“We reverse engineered this small, but complex malware that is portable to many operating systems, including Linux, BSD, and Solaris.

Some artifacts discovered during the scan indicate that there may also be variations for AIX and Windows operating systems.

We call this malware Kobalos because of the small size of its code and its many tricks ”, 

“We have worked with CERN's computer security team and other organizations involved in the fight against attacks on scientific research networks. According to them, the use of Kobalos malware is innovative "

OpenSSH (OpenBSD Secure Shell) is a set of free computer tools that allow secure communications on a computer network using the SSH protocol. Encrypts all traffic to eliminate connection hijacking and other attacks. In addition, OpenSSH provides various authentication methods and sophisticated configuration options.

About Kobalos

According to the authors of that report, Kobalos is not exclusively targeting HPCs. Although many of the compromised systems were supercomputers and servers in academia and research, an Internet provider in Asia, a security service provider in North America, as well as some personal servers were also compromised by this threat.

Kobalos is a generic backdoor, as it contains commands that do not reveal the intention of the hackers, in addition to allows remote access to the file system, offers the ability to open terminal sessions and allows proxy connections to other servers infected with Kobalos.

Although the Kobalos design is complex, its functionality is limited and almost entirely related to concealed access through a back door.

Once fully deployed, the malware grants access to the compromised system's file system and allows access to a remote terminal that gives attackers the ability to execute arbitrary commands.

Operating mode

In a way, the malware acts as a passive implant that opens a TCP port on an infected machine and waiting for an incoming connection from a hacker. Another mode allows malware to turn target servers into command and control (CoC) servers to which other Kobalos-infected devices connect. The infected machines can also be used as proxies connecting to other servers compromised by malware.

An interesting feature What distinguishes this malware is that your code is packed into a single function and you only get one call from the legitimate OpenSSH code. However, it has a non-linear flow of control, recursively calling this function to perform subtasks.

The researchers found that remote clients have three options for connecting to Kobalos:

  1. Open a TCP port and wait for an incoming connection (sometimes called a "passive backdoor").
  2. Connect to another Kobalos instance configured to serve as a server.
  3. Expect connections to a legitimate service that is already running, but is coming from a specific source TCP port (OpenSSH server infection running).

Although there are several ways hackers can reach an infected machine with Kobalos, the method most used is when the malware is embedded in the server executable OpenSSH and activates the backdoor code if the connection is from a specific TCP source port.

Malware also encrypts traffic to and from hackers, to do this, hackers must authenticate with an RSA-512 key and password. The key generates and encrypts two 16-byte keys that encrypt the communication using RC4 encryption.

Also, the backdoor can switch communication to another port and act as a proxy to reach other compromised servers.

Given its small code base (only 24 KB) and its efficiency, ESET states that the sophistication of Kobalos is "rarely seen in Linux malware".

Source: https://www.welivesecurity.com

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.