The malware targeted the supercomputers used by a major Asian ISP, an American endpoint security supplier, and a number of private servers, among other goals.
Kobalos software is unusual for a number of reasons. The malware base is small but complex enough to affect Linux, BSD and Solaris operating systems.
Cybersecurity firm ESET suspects that it may be compatible with attacks against IBM AIX and Windows devices as well.
Marc-Etienne Léveillé, a researcher in the field of cybersecurity, said: “It must be said that this level of sophistication is rarely seen in Linux malware.
While working with the CERN Computer Security Team, ESET realized that the unique multi-platform malware targets HPC clusters.
In some cases, the malware appears to hijack SSH server connections to steal data that is then used to access HPC clusters and deploy Kobalos.
Kobalos is, in essence, a backdoor, and after arriving at the supercomputer, the code caches itself. In an OpenSSH server executable.
This triggers the backdoor if a call is placed through a particular TCP source port, and it works Other variants as mediators of traditional C2 command and control server communications.
Kobalos gives its operators remote access to file systems, allows them to create terminal sessions, and also acts as hotspots to other servers infected with the malware.
One of the unique aspects of Kobalos is its ability to convert any compromised server into C2 with a single command, ESET says.
The malware was a challenge to the analysis as all of its code was kept in a single function that repeatedly called itself to perform subtasks, and all strings were encrypted as an additional barrier to reverse engineering.
ESET said: We were unable to determine the intentions of the Kobalos operators, and system administrators across the compromised devices did not find any other malware, except for the SSH credential stealing tool.