Skip to main content

This devious Linux malware is targeting supercomputers

security threat
(Image credit: Shutterstock.com)

Security researchers have identified a new malware that interestingly targets supercomputing clusters.

Dubbed Kobalos by the researchers at security firm ESET, the malware targets multiple operating systems including Linux, FreeBSD and Solaris, and perhaps even AIX and Windows.

“This is not your typical Linux malware. This one is more sophisticated, and its unique control flow obfuscation makes the analysis more tedious,” wrote the researchers on Twitter while sharing their analysis.

Small and mischievous

As they explained their analysis of Kobalos in detail, the researchers note that one of the things that makes this malware unique is that it also bundles the code for running a Command & Control (C&C) server. This means that any compromised server can be turned into a C&C server by the attackers with just a single command.

The researchers worked with security experts at CERN, the European Organization for Nuclear Research and other organizations that are involved in mitigating attacks on scientific networks.

Upon reverse engineering the malware, the researchers identified a mechanism to detect compromised systems, remotely. They used this knowledge to scan the Internet for potential victims and discovered several high-profile targets including high performance computing clusters, servers in academia in Europe, an endpoint security vendor, and several personal and Government servers in North America, as well as a large ISP in Asia. 

Tip of the iceberg

Worryingly, the researchers note that Kobalos includes broad commands that conceal the true intent of the attackers. 

In most systems compromised by Kobalos, the client for secure communication (SSH) is compromised to steal credentials, but that seemed like a small target for such a sophisticated piece of malware. 

“This was an intriguing and challenging piece of malware to analyze,“ admitted ESET’s Senior Malware Researcher Marc-Etienne Léveillé on Twitter, adding that given the versatility of the malware “we may be seeing only the tip of the iceberg…”