A novel multi-platform threat called NKAbuse discovered using a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communication channel.
“The malware uses NKN technology for data exchange between peers, acts as a powerful implant, and has flooding and backdoor capabilities,” Russian cybersecurity company Kaspersky said. SAYS in a Thursday report.
NKN, with over 62,000 nodes, is CEBU as a “software overlay network built on top of today’s Internet that enables users to share unused bandwidth and earn token rewards.” This includes a blockchain layer on top of the existing TCP/IP stack.
Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals
Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
While threat actors are known to exploit emerging communication protocols for command-and-control (C2) purposes and avoid detection, NKAbuse uses blockchain technology to conduct distributed denial-of-service (DDoS) attacks and act as an implant within compromised systems. .
Specifically, it uses the protocol to communicate with the bot master and receive/send commands. The malware is implemented in the Go programming language, and evidence points to it being used primarily to target Linux systems, including IoT devices.
It is currently unknown how widespread the attacks were, but one example identified by Kaspersky involved exploiting a six-year-old critical security flaw in Apache Struts (CVE-2017-5638, CVSS score: 10.0) to breach an unnamed financial company. .
Successful exploitation is followed by the delivery of an initial shell script responsible for downloading the implant from a remote server, but not before checking the target host’s operating system. The server hosting the malware has eight different versions of NKAbuse to support different CPU architectures: i386, arm64, arm, amd64, mips, mipsel, mips64, and mips64el.
Another notable aspect is the lack of a self-propagation mechanism, which means that the malware must be sent to a target through another initial access path, such as by exploiting security flaws.
“NKAbuse uses cron jobs to survive reboots,” Kaspersky said. “To achieve that, it needs to be root. It checks that the current user ID is 0 and, if so, continues to parse the current crontab, adding itself for each reboot.”
NKAbuse also includes a set of backdoor features that allow it to periodically send a heartbeat message to the bot master, containing information about the system, take screenshots of the current screen , perform file operations, and run system commands.
“This particular implant appears to have been carefully crafted for integration into a botnet, however it may adapt to act as a backdoor to a specific host,” Kaspersky said. “Furthermore, its use of blockchain technology ensures reliability and anonymity, which indicates the potential for this botnet to continue to expand over time, as there is no identifiable central controller.”