There is no description at this point.
rule elf_kobalos_w0 { meta: description = "Kobalos malware" author = "Marc-Etienne M.Léveillé" date = "2020-11-02" reference = "http://www.welivesecurity.com" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos" malpedia_rule_date = "20210202" malpedia_hash = "" malpedia_version = "20210202" malpedia_sharing = "TLP:WHITE" strings: $encrypted_strings_sizes = { 05 00 00 00 09 00 00 00 04 00 00 00 06 00 00 00 08 00 00 00 08 00 00 00 02 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 05 00 00 00 07 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 0A 00 00 00 } $password_md5_digest = { 3ADD48192654BD558A4A4CED9C255C4C } $rsa_512_mod_header = { 10 11 02 00 09 02 00 } $strings_rc4_key = { AE0E05090F3AC2B50B1BC6E91D2FE3CE } condition: any of them }
rule elf_kobalos_w1 { meta: description = "Kobalos SSH credential stealer seen in OpenSSH client" author = "Marc-Etienne M.Léveillé" date = "2020-11-02" reference = "http://www.welivesecurity.com" source = "https://github.com/eset/malware-ioc/" license = "BSD 2-Clause" version = "1" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos" malpedia_rule_date = "20210202" malpedia_hash = "" malpedia_version = "20210202" malpedia_sharing = "TLP:WHITE" strings: $ = "user: %.128s host: %.128s port %05d user: %.128s password: %.128s" condition: any of them }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY