Researchers at ESET have discovered a targeted backdoor for Linux and UNIX systems they are calling Kobalos. Though not widespread, the actors behind the malware are infecting targets with high-performance computers (HPC) and servers in academic and research environments. How the actor gained access is not currently known. ESET noted that in some of the infections, infected hosts ran “old, unsupported or unpatched operating systems and software.”
After months of analysis, the exact intent of Kobalos is still uncertain. Commands appeared generic and no further payload was delivered. The malware is a trojanized OpenSSH client, replacing /usr/bin/ssh file on UNIX systems with a malicious version that records usernames, passwords, the hostname and saves them to an encrypted file. Because students and researchers from multiple universities may have access to supercomputer clusters, ESET believes this credential theft may be one of the ways in which the currently malware spreads.