Kobalos is a piece of malware that is often found attacking Unix-like systems. The malware was recently discovered by the ESET team. Its name is based on the tiny code size and many tricks found during its analysis. This is a piece of malware targeting UNIX-based systems including Linux, FreeBSD and Solaris, and possibly AIX and Windows. The code grants remote access to the operating system file system, allows criminals to execute terminal sessions and allows proxying connections to other Kobalos-infected servers around the globe.
In general, this threat has been targeting high-performance computing (HPC) clusters, among other high-profile targets. For instance, the EGI CSIRT advisory shows compromised servers in Poland, Canada and china used to carry out these attacks. Figure 1 shows how this threat is distributed globally.
Figure 1: Global distribution of the Kobalos malware (source).
The initial foothold is achieved by compromising credentials to gain administrative access and then install the Kobalos backdoor. Criminals then use an SSH service in the form of a trojanized OpenSSH client.
The /usr/bin/ssh file was replaced with a modified executable that recorded username, password and target hostname, and
wrote them to an encrypted file, says ESET.
Kobalos: modus operandi