‘Small, mischievous’ Linux backdoor malware spotted targeting supercomputers

Researchers from Slovakian infosec firm ESET have uncovered a new strain of Linux malware that targets high-performance computing clusters – aka supercomputers – running OSes including Linux, Solaris, and IBM AIX.

The malware, nicknamed Kobalos, is a backdoor “containing broad commands” whose full purpose is not yet known, though it is capable of granting malicious folk remote access to a marked system, opening terminal sessions and turning machines into a command ‘n’ control server.

“In short, Kobalos grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other Kobalos-infected servers,” said ESET researcher Marc-Etienne Léveillé, who uncovered Kobalos.

What’s in a name? Léveillé said: “We have named this malware Kobalos for its tiny code size and many tricks; in Greek mythology, a kobalos is a small, mischievous creature.”

The company said it alerted CERN’s Computer Security Team and other organisations to help mitigate attacks on supercomputers in scientific research networks. Targeted operating systems included Linux-based OSes like BSD (the precise flavour of which wasn’t specified) and Solaris, with Léveillé tentatively identifying IBM’s AIX and Windows as potential further targets.

“Among other targets was a large Asian ISP, a North American endpoint security vendor as well as several privately held servers,” said ESET in a statement.

The malware’s C2 server capabilities seem a little clunky. ESET found that its required server IP addresses and port numbers were hardcoded into the Kobalos-laden OpenSSH server executable at the heart of the malware. Updating C2 server details requires distribution of a new executable containing the new details.

china hacking

Want to stay under the radar for a decade or more? This Chinese hacking crew did it… by aiming for Linux servers


“Anyone using the SSH client of a compromised machine will have their credentials captured,” added Léveillé. “Those credentials can then be used by the attackers to install Kobalos on the newly discovered server later.”

ESET was unwilling to attribute the malware to any known group of hackers or nation states.

Mitigating the malware could be as straightforward as enforcing multi-factor authentication, said ESET.

Linux malware is uncommon but far from rare. Last year Microsoft declared its support for hunting down in-memory malware targeting Linux servers (machines infrequently rebooted and therefore at increased risk), while China’s APT41 was revealed to have spent five years poking around various Linux boxen. ®

Source link

Related Articles

Back to top button