Skip to content

S0641 Kobalos

Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.12

Item Value
ID S0641
Associated Names
Version 1.0
Created 24 August 2021
Last Modified 25 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.004 Unix Shell Kobalos can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt.1
enterprise T1554 Compromise Client Software Binary Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.2
enterprise T1074 Data Staged Kobalos can write captured SSH connection credentials to a file under the /var/run directory with a .pid extension for exfiltration.2
enterprise T1140 Deobfuscate/Decode Files or Information Kobalos decrypts strings right after the initial communication, but before the authentication process.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Kobalos‘s post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.12
enterprise T1573.002 Asymmetric Cryptography Kobalos‘s authentication and key exchange is performed using RSA-512.12
enterprise T1048 Exfiltration Over Alternative Protocol Kobalos can exfiltrate credentials over the network via UDP.1
enterprise T1070 Indicator Removal -
enterprise T1070.003 Clear Command History Kobalos can remove all command history on compromised hosts.1
enterprise T1070.006 Timestomp Kobalos can modify timestamps of replaced files, such as ssh with the added credential stealer or sshd used to deploy Kobalos.2
enterprise T1056 Input Capture Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.12
enterprise T1027 Obfuscated Files or Information Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.1
enterprise T1090 Proxy -
enterprise T1090.003 Multi-hop Proxy Kobalos can chain together multiple compromised machines as proxies to reach their final targets.12
enterprise T1082 System Information Discovery Kobalos can record the hostname and kernel version of the target machine.2
enterprise T1016 System Network Configuration Discovery Kobalos can record the IP address of the target machine.2
enterprise T1205 Traffic Signaling Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port.12