Kobalos
Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. Kobalos was first identified in late 2019.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1554 | 主机软件二进制文件妥协 |
Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.[2] |
|
| Enterprise | T1090 | .003 | 代理: Multi-hop Proxy |
Kobalos can chain together multiple compromised machines as proxies to reach their final targets.[1][2] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Kobalos's post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.[1][2] |
| .002 | 加密通道: Asymmetric Cryptography |
Kobalos's authentication and key exchange is performed using RSA-512.[1][2] |
||
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Kobalos decrypts strings right after the initial communication, but before the authentication process.[2] |
|
| Enterprise | T1059 | .004 | 命令与脚本解释器: Unix Shell |
Kobalos can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt.[1] |
| Enterprise | T1074 | 数据分段 |
Kobalos can write captured SSH connection credentials to a file under the |
|
| Enterprise | T1048 | 替代协议渗出 |
Kobalos can exfiltrate credentials over the network via UDP.[1] |
|
| Enterprise | T1205 | 流量激活 |
Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port.[1][2] |
|
| Enterprise | T1027 | 混淆文件或信息 |
Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.[1] |
|
| Enterprise | T1070 | .003 | 移除指标: Clear Command History |
Kobalos can remove all command history on compromised hosts.[1] |
| .006 | 移除指标: Timestomp |
Kobalos can modify timestamps of replaced files, such as |
||
| Enterprise | T1082 | 系统信息发现 |
Kobalos can record the hostname and kernel version of the target machine.[2] |
|
| Enterprise | T1016 | 系统网络配置发现 | ||
| Enterprise | T1056 | 输入捕获 |
Kobalos has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host.[1][2] |
|