Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.
|Enterprise||T1059||.004||Command and Scripting Interpreter: Unix Shell||
Kobalos can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt.
|Enterprise||T1554||Compromise Client Software Binary||
Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.
Kobalos can write captured SSH connection credentials to a file under the
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
Kobalos decrypts strings right after the initial communication, but before the authentication process.
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography||
Kobalos's post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.
|.002||Encrypted Channel: Asymmetric Cryptography||
Kobalos's authentication and key exchange is performed using RSA-512.
|Enterprise||T1048||Exfiltration Over Alternative Protocol||
Kobalos can exfiltrate credentials over the network via UDP.
|Enterprise||T1070||.003||Indicator Removal: Clear Command History||
Kobalos can remove all command history on compromised hosts.
|.006||Indicator Removal: Timestomp||
Kobalos can modify timestamps of replaced files, such as
Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.
|Enterprise||T1027||Obfuscated Files or Information||
Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.
|Enterprise||T1090||.003||Proxy: Multi-hop Proxy||
Kobalos can chain together multiple compromised machines as proxies to reach their final targets.
|Enterprise||T1082||System Information Discovery||
Kobalos can record the hostname and kernel version of the target machine.
|Enterprise||T1016||System Network Configuration Discovery|
Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port.