Linux is generally considered a more secure operating system than Windows. The truth is that hackers set their sights on where there are more users and, therefore, more options for success. In this article we echo Kobalos , a new threat that affects Linux and that aims to steal SSH credentials through previously attacked OpenSSH software.
Kobalos, a Linux threat that steals SSH credentials
A group of security researchers has discovered this problem that affects Linux systems. It is a maliciously modified version of OpenSSH . It can be used to steal SSH credentials. It has been referred to as Kobalos and they indicate that it is complex and misleading.
This Kobalos backdoor is hitting some important targets, including some government systems, European universities, and even internet operators. Initially it has been confirmed that it affects Linux, FreeBSD and Solaris operating systems, but experts indicate that there could be variants of this malware that also affect Windows.
ESET security researchers reverse engineered Kobalos to scan the internet for victims of this malware. In most cases it affected systems and supercomputers, but they also found private servers that were attacked.
ESET was unable to establish the initial attack vector that allowed hackers to gain administrative access to install Kobalos. However, some of the compromised systems “were running on older, unsupported or unpatched operating systems and software,” so exploiting a known vulnerability is a likely scenario.
Although the researchers spent months analyzing the malware, they were unable to determine its exact purpose due to the included generic commands and no specific payload.
Kobalos provides remote access to the file system and can generate terminal sessions, allowing attackers to execute arbitrary commands. On computers where they could be analyzed further, they discovered that there was an OpenSSH client turned into a Trojan. This way I could register the username, password and the name of the destination host.
Researchers believe that credential theft could explain how malware spreads to other systems on the same network or other networks in academia, as students and researchers from multiple universities may have SSH access to pools of supercomputers.
Very lightweight malware
One of the characteristics that most surprise researchers is that it is a small malware , which only occupies 24 KB. However, despite its small size, it is a fairly complex piece of malware and has obfuscation techniques that make it difficult to analyze.
In its codebase it includes code to run a command and control server. So they could convert any server that has been attacked previously.
To mitigate attacks, the security company recommends that users enable two-factor authentication to connect to SSH servers. ESET says its tools detect malware as Linux / Kobalos or Linux / Agent.IV, while SSH credential stealer is detected as Linux / SSHDoor.EV, Linux / SSHDoor.FB, or Linux / SSHDoor.FC.