A small but complex malware variant is targeting supercomputers worldwide. The malware has been traced back to attacks against supercomputers used by a large Asian Internet Service Provider (ISP), a US endpoint security vendor, and a number of privately-held servers, among other targets. The malware’s codebase is tiny but is sophisticated enough to impact at least Linux, BSD, and Solaris operating systems. It may possibly be compatible with attacks against AIX and Microsoft Windows machines, too.
This unique, multiplatform malware was targeting high performance computer (HPC) clusters. In some cases of infection, it appears that ‘sidekick’ malware hijacks SSH server connections to steal credentials that are then used to obtain access to HPC clusters and deploy Kobalos. Once the malware has landed on a supercomputer, the code buries itself in an OpenSSH server executable and will trigger the backdoor if a call is made through a specific TCP source port.
Other variants act as middlemen for traditional command-and-control (C2) server connections. Kobalos grants its operators remote access to file systems, allows them to spawn terminal sessions, and also acts as connection points to other servers infected with the malware. Moreover, the malware is able to turn any compromised server into a C2 through a single command. As the C2 server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C2 server. The malware was a challenge to analyze as all of its code is held in a “single function that recursively calls itself to perform subtasks and all strings are encrypted as a further barrier to reverse engineering.