High-performance computing clusters belonging to university
networks as well as servers associated with government agencies,
endpoint security vendors, and internet service providers have been
targeted by a newly discovered backdoor that gives attackers the
ability to execute arbitrary commands on the systems remotely.
Cybersecurity firm ESET named the malware “Kobalos[1]” — a nod to a “mischievous
creature[2]” of the same name from
Greek mythology — for its “tiny code size and many tricks.”
“Kobalos is a generic backdoor in the sense that it contains
broad commands that don’t reveal the intent of the attackers,”
researchers Marc-Etienne M. Léveillé and Ignacio Sanmillan said[3]
in a Tuesday analysis. “In short, Kobalos grants remote access to
the file system, provides the ability to spawn terminal sessions,
and allows proxying connections to other Kobalos-infected
servers.”
Besides tracing the malware back to attacks against a number of
high-profile targets, ESET said the malware is capable of taking
aim at Linux, FreeBSD, Solaris, and possibly AIX and Windows
machines, with code references hinting at Windows 3.11 and Windows
95 legacy operating systems.
Kobalos infections are believed to have started in late 2019 and
have since continued to remain active throughout 2020.
The initial compromise vector used to deploy the malware and the
ultimate objective of the threat actor remains unclear as yet, but
the presence of a trojanized OpenSSH client in one of the
compromised systems alludes to the possibility that “credential
stealing could be one of the ways Kobalos propagates.”
No other malware artifacts were found on the systems, nor has
there been any evidence that could potentially reveal the
attackers’ intent.
“We have not found any clues to indicate whether they steal
confidential information, pursue monetary gain, or are after
something else,” the researchers said.
But what they did uncover shows the multi-platform malware
harbors some unusual techniques, including features that could turn
any compromised server into a command-and-control (C&C) server
for other hosts compromised by Kobalos.
In other words, infected machines can be used as proxies that
connect to other compromised servers, which can then be leveraged
by the operators to create new Kobalos samples that use this new
C&C server to create a proxy chain comprising of multiple
infected servers to reach their targets.
To maintain stealth, Kobalos authenticates connections with
infected machines using a 32-byte password that’s generated and
then encrypted with a 512-bit RSA private key. Subsequently, a set
of RC4 keys are used — one each for inbound traffic and outbound
traffic — for communications with the C&C server.
The backdoor also leverages a complex obfuscation mechanism to
thwart forensic analysis by recursively calling the code to perform
a wide range of subtasks.
“The numerous well-implemented features and the network evasion
techniques show the attackers behind Kobalos are much more
knowledgeable than the typical malware author targeting Linux and
other non-Windows systems,” the researchers said.
“Their targets, being quite high-profile, also show that the
objective of the Kobalos operators isn’t to compromise as many
systems as possible. Its small footprint and network evasion
techniques may explain why it went undetected until we approached
victims with the results of our Internet-wide scan.”
References
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/WWLP9j1y4ec/a-new-linux-malware-targeting-high.html