In Greek mythology, a Kobalos is a small, mischievous and restless goblin. ESET researchers named the malware after its code size. However, this malicious code is small but dangerous. Thus, the specialists analyzed this malware targeting high-performance computing (HPC) clusters. It also has other high-profile targets.

The cybersecurity company ESET reviewed the behavior of Kobalos in an article on its website. Through reverse engineering, ESET researchers decrypted the malware. Characterized by being small but complex. While it is portable to operating systems such as Linux, Solaris and BSD, it is likely to affect Windows and AIX as well.

The Linux threat landscape continues to evolve, and at times, malware authors invest a considerable amount of resources into their tradecraft. Kobalos is one of these cases.

ESET researchers

ESET reports that there have been several cases of attacks on HCP crusts in the past year. However, they are not necessarily related to Kobalos. The cases include cryptocurrency miners, with servers compromised in China, Poland and Canada. Reported in an advisory from the European Grid Infrastructure (EGI) CSIRT. Other press releases reported on the attack on the Archer supercomputer in the UK. The latter had its SSH credentials stolen.

How does Kobalos work?

According to ESET, Kobalos is a generic backdoor. It has extensive coding that keeps the attackers’ intentions hidden. However, it has a unique feature. It has the code to run the C&C server. Basically, Kobalos gives remote access to the file system. It also allows generating terminal sessions and proxy connections to other infected servers.

Overview of Kobalos functions and ways to access them, courtesy of

The most common method of reaching an infected machine is Kobalos embedded in the OpenSSH server executable. When the connection comes from a specific TPC source port, it will trigger the backdoor code. Although this is the most commonly seen method, there are other ways to reach an infected machine. In addition, one particularity stands out in Kobalos. The code to run a C&C server is in Kobalos itself.

Probably, the propagation of Kobalos is thanks to a “partner”. On almost all infected systems, the SSH client is compromised to steal credentials. Thus, whoever uses the SSH client of a compromised computer will have their credentials captured. Attackers can then use those credentials to install Kobalos on the compromised server. Fortunately, ESET was able to identify a list of possible victims. They are aware of the danger and are taking precautions. They also hope that the report will serve to take a closer look at malware activity.

Leave a Comment

Your email address will not be published.

Scroll to Top