Malware analysis

Kobalos malware: A complex Linux threat

May 26, 2021 by Pedro Tavares

Kobalos is a piece of malware that is often found attacking Unix-like systems. The malware was recently discovered by the ESET team. Its name is based on the tiny code size and many tricks found during its analysis. This is a piece of malware targeting UNIX-based systems including Linux, FreeBSD and Solaris, and possibly AIX and Windows. The code grants remote access to the operating system file system, allows criminals to execute terminal sessions and allows proxying connections to other Kobalos-infected servers around the globe.

In general, this threat has been targeting high-performance computing (HPC) clusters, among other high-profile targets. For instance, the EGI CSIRT advisory shows compromised servers in Poland, Canada and China used to carry out these attacks. Figure 1 shows how this threat is distributed globally.

Figure 1: Global distribution of the Kobalos malware (source).

The initial foothold is achieved by compromising credentials to gain administrative access and then install the Kobalos backdoor. Criminals then use an SSH service in the form of a trojanized OpenSSH client.

The /usr/bin/ssh file was replaced with a modified executable that recorded username, password and target hostname, and

wrote them to an encrypted file, says ESET.

Kobalos: modus operandi

Kobalos is a powerful piece of malware. It contains a set of commands that don’t reveal the malicious intent of the criminals at a first glance. This backdoor is equipped with features to grant remote access to the operating system file system, containing capabilities to spawn terminal sessions and proxying connections to other Kobalos-infected servers around the Internet as depicted below.

Figure 2: High-level diagram of Kobalos backdoor.

As observed above, there are some ways of connecting and interacting with the infected hosts. The generic method is based on the trojanized sshd client. Kobalos will spawn a new session if the connection comes from a specific port. Other variants are not available in the malware source code. Criminals gain access to the infected machine by using a C2 server that acts as a man-in-the-middle (MITM) agent that connects other infected hosts via specific TCP ports.

An interesting detail that makes this backdoor unique is that each Kobalos-infected host acts as a C2 server. As the C2 server, IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use new C2 servers available and hosted on the target’s infrastructures.

Figure 3: Kobalus hardcoded configuration.

The obfuscation layers of Kobalos 

Kobalos uses a single function that recursively calls other functions during run-time. Because of that, analyzing Kobalus is not seen as a trivial task. Figure 4 shows a high-level diagram of the main call and sub-calls.

Figure 4:  Control flow graph of Kobalos malware.

On the other side, there are no exits in readable plain-text strings inside the malware source code (binary data). The strings are encrypted using the RC4 algorithm and decrypted after the initial communication. The same key is shared between different samples:

AE 0E 05 09 0F 3A C2 B5 0B 1B C6 E9 1D 2F E3 CE.

The decrypted strings of Kobalos backdoor are the following:

  1. %s %s
  2. /dev/ptmx
  3. ptem
  4. ldterm
  5. ttcompat
  6. /dev/tty
  7. %s
  8. %d
  9. /
  10. \
  11. %d.%d
  12. win3.11
  13. win95
  14. winNT
  15. win??
  16. \\.\pipe\2
  17. %s %s.%s
  18. /dev/ptc

After starting, the malware can protect itself against forensic analysis with the following features:

Set RLIMIT_CORE to zero to prevent core-dump generation if the process crashes

Ignore most signals to make it more difficult to interrupt the process

Figure 5: Kobalos avoids creating core dumps on crashes and will ignore most signals.

Also, the timestomping technique is used to replace the original timestamp of the sshd file (backdoor itself) to reduce potential suspicions. 

The usage of the backdoor requires a private 512-bit RSA key and a 32-byte-long password. When the malware operator is authenticated, RC4 keys are exchanged between infected hosts and operators’ machines, and the rest of the communication is encrypted with them. The network protocol is summarized by the next diagram.

Figure 6: Kobalos communication diagram.

Dealing with Kobalos malware

Kobalos malware is a potent and dangerous threat now mostly impacting Unix-based systems, though not exclusively. Operating systems such as Solaris and Windows are also in danger. At first glance, the numerous well-implemented features and network evasion techniques show the criminals behind this piece of malware are much more knowledgeable than typical malware authors mainly targeting non-Windows systems.

In this way, host-level monitoring should be seen as a first step to detect and block threats of these lines and artifacts related to the sshd client as well. With this practice in place, criminals achieve persistence and evade detection, a clear signal to consider when hunting for malicious activity on the host level.

On the other hand, a large or uncommon volume of internet traffic and abnormal payloads can be detected using some network analyzing software, physical devices such as firewalls and so on.

Be proactive and start taking malware protection seriously.

 

Sources

Kobalos analysis, ESET

Advisory on Attacks on multiple HPC sites, EGI CSIRT

Posted: May 26, 2021
Articles Author
Pedro Tavares
View Profile

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt. In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.

Leave a Reply

Your email address will not be published. Required fields are marked *