Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.[1][2]

ID: S0641
Platforms: Linux
Contributors: Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation
Version: 1.0
Created: 24 August 2021
Last Modified: 25 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Kobalos can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt.[1]

Enterprise T1554 Compromise Host Software Binary

Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.[2]

Enterprise T1074 Data Staged

Kobalos can write captured SSH connection credentials to a file under the /var/run directory with a .pid extension for exfiltration.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Kobalos decrypts strings right after the initial communication, but before the authentication process.[2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Kobalos's post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.[1][2]

.002 Encrypted Channel: Asymmetric Cryptography

Kobalos's authentication and key exchange is performed using RSA-512.[1][2]

Enterprise T1048 Exfiltration Over Alternative Protocol

Kobalos can exfiltrate credentials over the network via UDP.[1]

Enterprise T1070 .003 Indicator Removal: Clear Command History

Kobalos can remove all command history on compromised hosts.[1]

.006 Indicator Removal: Timestomp

Kobalos can modify timestamps of replaced files, such as ssh with the added credential stealer or sshd used to deploy Kobalos.[2]

Enterprise T1056 Input Capture

Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.[1][2]

Enterprise T1027 Obfuscated Files or Information

Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.[1]

Enterprise T1090 .003 Proxy: Multi-hop Proxy

Kobalos can chain together multiple compromised machines as proxies to reach their final targets.[1][2]

Enterprise T1082 System Information Discovery

Kobalos can record the hostname and kernel version of the target machine.[2]

Enterprise T1016 System Network Configuration Discovery

Kobalos can record the IP address of the target machine.[2]

Enterprise T1205 Traffic Signaling

Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port.[1][2]