Rewterz Threat Alert – Agent Tesla Malware Using New Delivery and Evasion Techniques
February 3, 2021Rewterz Threat Alert – Remcos Backdoor Malware
February 3, 2021Rewterz Threat Alert – Agent Tesla Malware Using New Delivery and Evasion Techniques
February 3, 2021Rewterz Threat Alert – Remcos Backdoor Malware
February 3, 2021Severity
High
Analysis Summary
A small but complex malware variant is targeting supercomputers worldwide. The malware has been traced back to attacks against supercomputers used by a large Asian Internet Service Provider (ISP), a US endpoint security vendor, and a number of privately-held servers, among other targets. The malware’s codebase is tiny but is sophisticated enough to impact at least Linux, BSD, and Solaris operating systems. It may possibly be compatible with attacks against AIX and Microsoft Windows machines, too.
This unique, multiplatform malware was targeting high performance computer (HPC) clusters. In some cases of infection, it appears that ‘sidekick’ malware hijacks SSH server connections to steal credentials that are then used to obtain access to HPC clusters and deploy Kobalos. Once the malware has landed on a supercomputer, the code buries itself in an OpenSSH server executable and will trigger the backdoor if a call is made through a specific TCP source port.
Other variants act as middlemen for traditional command-and-control (C2) server connections. Kobalos grants its operators remote access to file systems, allows them to spawn terminal sessions, and also acts as connection points to other servers infected with the malware. Moreover, the malware is able to turn any compromised server into a C2 through a single command. As the C2 server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C2 server. The malware was a challenge to analyze as all of its code is held in a “single function that recursively calls itself to perform subtasks and all strings are encrypted as a further barrier to reverse engineering.
Impact
- Unauthorized Access
- Credential Theft
- Code Execution
Indicators of Compromise
MD5
- bc49dd3da0b2cb1425a466a3d2f0ed41
- 2c693d26ba9df26edf77557c1a709528
- 87837cc81c346e2a38ab1fe5e4826af2
- f54ba4ac2eeb5c12a513872acabecbc6
- 4e52980f06f211668df959175d6c3d58
- 7538d0ec96869fd53d7c613a108846c0
SHA-256
- 13cbde1b79ca195a06697df937580c82c0e1cd90cc91c18ddfe4a7802e8e923a
- 73576d5a21ec2f164fe37bea86964e18dca1b800a8c7a104223cc35d74e7bd58
- 6c36e0341ea1529665de88b690a19a18ea02d2a2a5bae6d745e01efc194e486a
- 9ed33b43e679ad98615e1a4e8c46dbeb9b93271625e46f4b4d021099b4b6fb74
- 75edf6662811d001da179b96bd06d675aa2439fd88a981cc84f24b4a5b4f8f45
- d51cb52136931af5ebd8628b64d6cd1327a99196b102d246f52d878ffb581983
SHA1
- 1dd0edc5744d63a731db8c3b42efbd09d91fed78
- 479f470e83f9a5b66363fba5547fdfcf727949da
- 6616de799b5105ee2eb83bbe25c7f4433420dff7
- affa12cc94578d63a8b178ae19f6601d5c8bb224
- e094dd02cc954b6104791925e0d1880782b046cf
- fbf0a76ced2939d1f7ec5f9ea58c5a294207f7fe
Remediation
- Block the threat indicators at their respective controls.
- Keep all Linux devices and software updated to latest patched versions.
- Use multi-factor authentication where possible.