S0641 Kobalos
Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.12
| Item | Value |
|---|---|
| ID | S0641 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 24 August 2021 |
| Last Modified | 25 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.004 | Unix Shell | Kobalos can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt.1 |
| enterprise | T1554 | Compromise Client Software Binary | Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.2 |
| enterprise | T1074 | Data Staged | Kobalos can write captured SSH connection credentials to a file under the /var/run directory with a .pid extension for exfiltration.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Kobalos decrypts strings right after the initial communication, but before the authentication process.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Kobalos‘s post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.12 |
| enterprise | T1573.002 | Asymmetric Cryptography | Kobalos‘s authentication and key exchange is performed using RSA-512.12 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | Kobalos can exfiltrate credentials over the network via UDP.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.003 | Clear Command History | Kobalos can remove all command history on compromised hosts.1 |
| enterprise | T1070.006 | Timestomp | Kobalos can modify timestamps of replaced files, such as ssh with the added credential stealer or sshd used to deploy Kobalos.2 |
| enterprise | T1056 | Input Capture | Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.12 |
| enterprise | T1027 | Obfuscated Files or Information | Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.1 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | Kobalos can chain together multiple compromised machines as proxies to reach their final targets.12 |
| enterprise | T1082 | System Information Discovery | Kobalos can record the hostname and kernel version of the target machine.2 |
| enterprise | T1016 | System Network Configuration Discovery | Kobalos can record the IP address of the target machine.2 |
| enterprise | T1205 | Traffic Signaling | Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port.12 |
References
-
M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021. ↩↩↩↩↩↩↩↩↩↩
-
M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩