SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.kobalos (Back to overview)

Kobalos


There is no description at this point.

References
2021-02-05Team CymruDavid Monnier
@online{monnier:20210205:kobalos:e8f562f, author = {David Monnier}, title = {{Kobalos Malware Mapping Potentially Impacted Networks and IP Address Mapping}}, date = {2021-02-05}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/}, language = {English}, urldate = {2021-02-06} } Kobalos Malware Mapping Potentially Impacted Networks and IP Address Mapping
Kobalos
2021-02-02ESET ResearchMarc-Etienne M.Léveillé, Ignacio Sanmillan
@online{mlveill:20210202:kobalos:5bb5548, author = {Marc-Etienne M.Léveillé and Ignacio Sanmillan}, title = {{Kobalos – A complex Linux threat to high performance computing infrastructure}}, date = {2021-02-02}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/}, language = {English}, urldate = {2021-02-02} } Kobalos – A complex Linux threat to high performance computing infrastructure
Kobalos
2020-02-02ESET ResearchMarc-Etienne M.Léveillé, Ignacio Sanmillan
@techreport{mlveill:20200202:tlp:39ce93c, author = {Marc-Etienne M.Léveillé and Ignacio Sanmillan}, title = {{TLP: WHITE A WILD KOBALOS APPEARSTricksy Linux malware goes after HPCs}}, date = {2020-02-02}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf}, language = {English}, urldate = {2021-02-04} } TLP: WHITE A WILD KOBALOS APPEARSTricksy Linux malware goes after HPCs
Kobalos
Yara Rules
[TLP:WHITE] elf_kobalos_w0 (20210202 | Kobalos malware)
rule elf_kobalos_w0 {
    meta:
        description = "Kobalos malware"
        author = "Marc-Etienne M.Léveillé"
        date = "2020-11-02"
        reference = "http://www.welivesecurity.com"
        source = "https://github.com/eset/malware-ioc/"
        license = "BSD 2-Clause"
        version = "1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos"
        malpedia_rule_date = "20210202"
        malpedia_hash = ""
        malpedia_version = "20210202"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $encrypted_strings_sizes = {
            05 00 00 00 09 00 00 00  04 00 00 00 06 00 00 00
            08 00 00 00 08 00 00 00  02 00 00 00 02 00 00 00
            01 00 00 00 01 00 00 00  05 00 00 00 07 00 00 00
            05 00 00 00 05 00 00 00  05 00 00 00 0A 00 00 00
        }
        $password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C }
        $rsa_512_mod_header = { 10 11 02 00 09 02 00 }
        $strings_rc4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE }

    condition:
        any of them
}
[TLP:WHITE] elf_kobalos_w1 (20210202 | Kobalos SSH credential stealer seen in OpenSSH client)
rule elf_kobalos_w1 {
    meta:
        description = "Kobalos SSH credential stealer seen in OpenSSH client"
        author = "Marc-Etienne M.Léveillé"
        date = "2020-11-02"
        reference = "http://www.welivesecurity.com"
        source = "https://github.com/eset/malware-ioc/"
        license = "BSD 2-Clause"
        version = "1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos"
        malpedia_rule_date = "20210202"
        malpedia_hash = ""
        malpedia_version = "20210202"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $ = "user: %.128s host: %.128s port %05d user: %.128s password: %.128s"

    condition:
        any of them
}
Download all Yara Rules