A recently discovered multi-platform threat, named NKAbuse, has emerged as a significant cybersecurity concern. This malicious entity exploits a decentralized peer-to-peer network connectivity protocol called NKN (New Kind of Network) for communication purposes. The malware, characterized by Russian cybersecurity firm Kaspersky in a recent report, operates as a powerful implant with both flooder and backdoor capabilities.
NKN, a software overlay network boasting over 62,000 nodes, utilizes a unique approach by incorporating a blockchain layer on top of the existing TCP/IP stack. This design allows users to share unused bandwidth and earn token rewards, creating a distinctive communication infrastructure. However, NKAbuse takes advantage of this technology to conduct distributed denial-of-service (DDoS) attacks and establish itself as an implant within compromised systems.
In the realm of cyber threats, it’s not uncommon for malicious actors to exploit emerging communication protocols for command-and-control purposes to evade detection. NKAbuse, however, goes a step further by leveraging blockchain technology to execute DDoS attacks and serve as an implant within compromised systems. The malware uses NKN to communicate with the bot master and execute commands. Developed in the Go programming language, NKAbuse seems to primarily target Linux systems, including IoT devices.
While the extent of these attacks remains unknown, Kaspersky identified an instance involving the exploitation of a six-year-old critical security flaw in Apache Struts (CVE-2017-5638, CVSS score: 10.0) to breach an undisclosed financial company. Upon successful exploitation, the malware deploys an initial shell script responsible for downloading the implant from a remote server. Notably, the malware lacks a self-propagation mechanism, requiring delivery to the target through an initial access pathway, such as the exploitation of security vulnerabilities.
NKAbuse exhibits resilience by using cron jobs to survive system reboots. This requires root access, and the malware checks the current user ID to confirm this. Once established, it manipulates the crontab to ensure its persistence through reboots.
The malware incorporates various backdoor features, enabling it to send periodic heartbeat messages to the bot master, providing system information. Additionally, NKAbuse can capture screenshots, perform file operations, and execute system commands. Kaspersky suggests that the meticulously crafted implant is adaptable, capable of integration into a botnet or functioning as a backdoor in a specific host. The use of blockchain technology ensures reliability and anonymity, hinting at the potential for the botnet to expand steadily over time without a centralized controller.
CyberSec84 | Cybersecurity news. 
Leave a comment