In general, this threat has been targeting high-performance computing (HPC) clusters, among other high-profile targets. For instance, the EGI CSIRT advisory shows compromised servers in Poland, Canada and China used to carry out these attacks. Figure 1 shows how this threat is distributed globally.
Figure 1: Global distribution of the Kobalos malware (source). The initial foothold is achieved by compromising credentials to gain administrative access and then install the Kobalos backdoor. Criminals then use an SSH service in the form of a trojanized OpenSSH client. The /usr/bin/ssh file was replaced with a modified executable that recorded username, password and target hostname, and wrote them to an encrypted file, says ESET.
Kobalos: modus operandi
Kobalos is a powerful piece of malware. It contains a set of commands that don’t reveal the malicious intent of the criminals at a first glance. This backdoor is equipped with features to grant remote access to the operating system file system, containing capabilities to spawn terminal sessions and proxying connections to other Kobalos-infected servers around the Internet as depicted below.
Figure 2: High-level diagram of Kobalos backdoor. As observed above, there are some ways of connecting and interacting with the infected hosts. The generic method is based on the trojanized sshd client. Kobalos will spawn a new session if the connection comes from a specific port. Other variants are not available in the malware source code. Criminals gain access to the infected machine by using a C2 server that acts as a man-in-the-middle (MITM) agent that connects other infected hosts via specific TCP ports. An interesting detail that makes this backdoor unique is that each Kobalos-infected host acts as a C2 server. As the C2 server, IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use new C2 servers available and hosted on the target’s infrastructures.
Figure 3: Kobalus hardcoded configuration.
The obfuscation layers of Kobalos
Kobalos uses a single function that recursively calls other functions during run-time. Because of that, analyzing Kobalus is not seen as a trivial task. Figure 4 shows a high-level diagram of the main call and sub-calls.
Figure 4: Control flow graph of Kobalos malware. On the other side, there are no exits in readable plain-text strings inside the malware source code (binary data). The strings are encrypted using the RC4 algorithm and decrypted after the initial communication. The same key is shared between different samples: AE 0E 05 09 0F 3A C2 B5 0B 1B C6 E9 1D 2F E3 CE. The decrypted strings of Kobalos backdoor are the following:
%s %s
/dev/ptmx
ptem
ldterm
ttcompat
/dev/tty
%s
%d
/
%d.%d
win3.11
win95
winNT
win??
\.\pipe\2
%s %s.%s
/dev/ptc
After starting, the malware can protect itself against forensic analysis with the following features: ⦁ Set RLIMIT_CORE to zero to prevent core-dump generation if the process crashes ⦁ Ignore most signals to make it more difficult to interrupt the process
Figure 5: Kobalos avoids creating core dumps on crashes and will ignore most signals. Also, the timestomping technique is used to replace the original timestamp of the sshd file (backdoor itself) to reduce potential suspicions. The usage of the backdoor requires a private 512-bit RSA key and a 32-byte-long password. When the malware operator is authenticated, RC4 keys are exchanged between infected hosts and operators’ machines, and the rest of the communication is encrypted with them. The network protocol is summarized by the next diagram.
Figure 6: Kobalos communication diagram.
Dealing with Kobalos malware
Kobalos malware is a potent and dangerous threat now mostly impacting Unix-based systems, though not exclusively. Operating systems such as Solaris and Windows are also in danger. At first glance, the numerous well-implemented features and network evasion techniques show the criminals behind this piece of malware are much more knowledgeable than typical malware authors mainly targeting non-Windows systems. In this way, host-level monitoring should be seen as a first step to detect and block threats of these lines and artifacts related to the sshd client as well. With this practice in place, criminals achieve persistence and evade detection, a clear signal to consider when hunting for malicious activity on the host level. On the other hand, a large or uncommon volume of internet traffic and abnormal payloads can be detected using some network analyzing software, physical devices such as firewalls and so on. Be proactive and start taking malware protection seriously.
Sources
Kobalos analysis, ESET Advisory on Attacks on multiple HPC sites, EGI CSIRT