This Linux malware is hijacking supercomputers across the globe

Kobalos’ codebase is tiny, but its impact is not.

A small but complex malware variant is targeting supercomputers worldwide.

Reverse engineered by ESET and described in a blog post on Tuesday, the malware has been traced back to attacks against supercomputers used by a large Asian Internet Service Provider (ISP), a US endpoint security vendor, and a number of privately-held servers, among other targets. 

The cybersecurity team has named the malware Kobalos in deference to the kobalos, a small creature in Greek mythology believed to cause mischief. 

Kobalos is unusual for a number of reasons. The malware's codebase is tiny but is sophisticated enough to impact at least Linux, BSD, and Solaris operating systems. ESET suspects it may possibly be compatible with attacks against AIX and Microsoft Windows machines, too. 

"It has to be said that this level of sophistication is only rarely seen in Linux malware," commented cybersecurity researcher Marc-Etienne Léveillé.

While working with the CERN Computer Security Team, ESET realized the "unique, multiplatform" malware was targeting high performance computer (HPC) clusters. In some cases of infection, it appears that 'sidekick' malware hijacks SSH server connections to steal credentials that are then used to obtain access to HPC clusters and deploy Kobalos. 

"The presence of this credential stealer may partially answer how Kobalos propagates," the team says. 

Kobalos is, in essence, a backdoor. Once the malware has landed on a supercomputer, the code buries itself in an OpenSSH server executable and will trigger the backdoor if a call is made through a specific TCP source port.

Other variants act as middlemen for traditional command-and-control (C2) server connections.

Kobalos grants its operators remote access to file systems, allows them to spawn terminal sessions, and also acts as connection points to other servers infected with the malware. 

ESET says that a unique facet of Kobalos is its ability to turn any compromised server into a C2 through a single command. 

"As the C2 server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C2 server," the researchers noted. 

The malware was a challenge to analyze as all of its code is held in a "single function that recursively calls itself to perform subtasks," ESET says, adding that all strings are encrypted as a further barrier to reverse engineering. As of now, more research needs to be conducted in the malware -- and who may be responsible for its development.

"We were unable to determine the intentions of the operators of Kobalos," ESET commented. "No other malware, except for the SSH credential stealer, was found by the system administrators of the compromised machines. Hopefully, the details we reveal today in our new publication will help raise awareness around this threat and put its activity under the microscope."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0