Kobalos
Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
Kobalos can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt.[1] |
| Enterprise | T1554 | Compromise Client Software Binary |
Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.[2] |
|
| Enterprise | T1074 | Data Staged |
Kobalos can write captured SSH connection credentials to a file under the |
|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Kobalos decrypts strings right after the initial communication, but before the authentication process.[2] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Kobalos's post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.[1][2] |
| .002 | Encrypted Channel: Asymmetric Cryptography |
Kobalos's authentication and key exchange is performed using RSA-512.[1][2] |
||
| Enterprise | T1048 | Exfiltration Over Alternative Protocol |
Kobalos can exfiltrate credentials over the network via UDP.[1] |
|
| Enterprise | T1070 | .003 | Indicator Removal on Host: Clear Command History |
Kobalos can remove all command history on compromised hosts.[1] |
| .006 | Indicator Removal on Host: Timestomp |
Kobalos can modify timestamps of replaced files, such as |
||
| Enterprise | T1056 | Input Capture |
Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.[1][2] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.[1] |
|
| Enterprise | T1090 | .003 | Proxy: Multi-hop Proxy |
Kobalos can chain together multiple compromised machines as proxies to reach their final targets.[1][2] |
| Enterprise | T1082 | System Information Discovery |
Kobalos can record the hostname and kernel version of the target machine.[2] |
|
| Enterprise | T1016 | System Network Configuration Discovery | ||
| Enterprise | T1205 | Traffic Signaling |
Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port.[1][2] |
|