Some high-performance computer networks belonging to the world’s most prestigious organizations are being attacked by a recently discovered backdoor which grants hackers the ability to remotely execute any command they’d like, researchers said on Tuesday.
The malware dubbed ‘Kobalos’ by the researchers from security firm Eset is a backdoor that runs on Linux, FreeBSD and Solaris, code artifacts suggest that it may have once run on AIX and the ancient Windows 3.11 and Windows 95 platforms. The backdoor was released no later than 2019 and the perpetrators behind it have been active throughout the year.
The Kobalos design is complicated, its capacities are limited and almost completely connected to covert backdoor access. Once it is fully deployed, it gives access to the file system of the vulnerable system and further gives access to a remote terminal which gives the hackers power to run arbitrary commands.
In one mode, the malware acts as a passive implant to open a TCP port on an infected machine and awaits a connection from an attacker. A different mode allows the malware to convert servers into command-and-control servers that other Kobalos-infected devices connect to.
Infected machines can also be utilized as proxies to connect with other servers compromised Kobalos. These proxies can be chained to enable operators use multiple Kobalos-compromised machines to achieve their final goals.
To maintain stealth, Kobalos encrypts communications with machines that are infected using two 16-bytes keys generated and encrypted with a password-protected RSA-512 private key. All inbound and outbound traffic from then on is RC4-encrypted using the two keys. The malware makes use of a complex obfuscation mechanism that makes third-party analysis difficult.
Some of the entities infected with the malware include a university, an end-point security company, various government agencies, and a large ISP. One high-performance computer compromised has a minimum of 512 gigabytes of RAM and almost a petabyte of storage.
Eset stated that the amount of victims was calculated in the tens. The number comes from an internet scan which measures behavior that occurs when a connection is established with a compromised host from a specific source port.
The vigor of the malware coupled with the little amount of prominent targets suggest that Kobalos is the work of an advanced team of hackers, specifically in the lesser known path of non-Windows-based malware.
‘The numerous well-implemented features and the network evasion techniques show the attackers behind Kobalos are much more knowledgeable than the typical malware author targeting Linux and other non-Windows systems’, Eset researchers Marc-Etienne M. Léveillé and Ignacio Sanmillan wrote in a report. ‘Their targets being quite high-profile, also show that the objective of the Kobalos operators isn’t to compromise as many systems as possible. Its small footprint and network evasion techniques may explain why it went undetected until we approached victims with the results of our Internet-operators wide scan’.
It is not yet clear how Kobalos is being installed. A component that hijacks credentials administrators used to log in to machines using the SSH protocol is one possibility, but it’s possible that it is not the only means of infection. It’s also unclear exactly what the Kobalos are doing with the malware. There were no indications that the compromised systems were used to mine cryptocurrency or execute other t asks.
‘The intent of the authors of this malware is still unknown’, they wrote. ‘We have not found any clues to indicate whether they steal confidential information, pursue monetary gain, or are after something else.’
By Marvellous Iwendi
Source: ars technica