VTA-00357 – Kobalos Malware Targets High Performance Computer (HPC) Clusters:
1. Review and improve your server’s SSH security settings e.g. https://linux-audit.com/audit-and-harden-your-ssh-configuration/
2. Monitor your server’s SSH service activities for unauthorized remote access and unknown network connections established by the server.
3. Configure the IOC information provided below into your current network, perimeter and endpoint threat defense mechanisms e.g. Endpoint Advanced Threat Protection (ATP), Network Firewall, Web Application Firewall (WAF), Email and Web Content Filtering Policies, where applicable.
4. To download and install OTX Endpoint Security. Subscribe to Provintell-Lab’s OTX pulses and scan endpoints for the presence of IOCs.
Kobalos is a malware with a tiny codebase but is able to attack machines from multiple different platform such as Linux, BSD and Solaris machines. It is also speculated to be able to target AIX and Windows machines based on several strings found in the malware code.
The main target for this malware is high performance computer (HPC) clusters, as seen from the infection in a large Asian ISP, a North American endpoint security vendor and a handful of personal servers. The malware is able to execute read and write commands to the file system while also spawning a terminal to execute arbitrary commands on the infected machine The method used for initial access is still unknown, but the method of propagation is via trojanized OpenSSH client to steal SSH credentials.
Once a machine is infected, the file in /usr/bin/ssh will be replaced with a modified executable to record username, password and target hostname. The records will then be encrypted and saved in the /var/run folder with a “.pid” extension. Those stolen credentials will later be used to access other servers and spread the malware. Another feature this malware has is the ability to turn any compromised machine into a C2 server or a proxy server via a single command. This is due to the fact that the C2 IP address are hardcoded into the executable and the malware can be updated with the new C2 server. The established communications between the C2 server and the infected machines are also encrypted.
Remote Access Service
Command and Control, Defense Evasion, Persistence
Compromise Client Software Binary, Traffic Signaling, Clear Command History, Timestomp, Software Packing, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Proxy:
Indicator of Compromise (IOC) Detection:
Contributed by: Riven