A new multiplatform threat that uses the peer-to-peer (P2P) NKN network connectivity protocol as a communication channel for launching a range of threats, from distributed denial-of-service (DDoS) attacks to a remote access trojan (RAT).
The multiple-threat malware, dubbed NKAbuse, appears to be targeting Linux desktops, though it also can infect Arm and MIPS systems, which makes it a threat to Internet of Things devices, according to researchers with Kaspersky’s Global Emergency Response Team (GERT).
The malware is written in the Go programming language and is compatible with multiple various architectures, the researchers wrote in a report, adding that it uses the NKN (New Kind of Network) “for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities.”
“NKAbuse infiltrates systems by uploading an implant to the victim host,” they wrote. “The malware establishes persistence through a cron job and installs itself in the host’s home folder. Its capabilities span flooding to backdoor access to remote administration (RAT), offering a range of features.”
Cron job is a Linux command that’s sued to schedule tasks that will be executed in the future. NKAbuse uses cron jobs to survive reboots. If the current user ID on the system is 0, it parses the current crontab and adds itself for every reboot.
NKN was launched in 2018 as a blockchain-based P2P network connectivity protocol that aims to motivate internet users via economic incentives to share network connections and utilize unused bandwidth, according to the company. NKN boasts of being the largest blockchain network in the world, with 63,642 nodes.
Kaspersky’s GERT noted that it prioritizes decentralization and privacy, with algorithms designed to optimized data transition by selecting the shortest node trajectory for reaching its intended destination.
“Historically, malware operators have exploited new and emerging communication protocols like NKN to link up with their command-and-control servers (C2) or bot masters,” the researchers wrote. “This threat (ab)uses the NKN public blockchain protocol to carry out a large set of flooding attacks and act as a backdoor inside Linux systems.”
They said that in one case, the malware exploited a six-year-old vulnerability related to Apache Struts2 (CVE-2017-5638) to attack a financial company they didn’t name.
The malware is installed on the target’s system through a remote shell script that downloads and executes the implant that is hosted remotely by the attacker. The malware checks the operating system on the device before downloading the implant. The server hosting NKAbuse includes eight chip architectures that the malware can support, including i386, two Arm platforms (arm and arm64), amd64, and four MIPS architectures – mips, mipsel, mips64, and mips64el.
“NKAbuse utilizes the NKN protocol to communicate with the bot master and receive/send information,” the researchers wrote. “To do this, the malware implant creates a new account and a new multiclient, which enables it to send and receive data from multiple clients concurrently, increasing the reliability of its communications with the bot master.”
The malware contains 10 DDoS attacks with different flooding payloads that can be used at the same time. The researchers noted that all the payloads “historically have been used by botnets, so, when combined with the NKN as the communication protocol, the malware can asynchronously wait for the master to launch a combined attack.”
NKAbuse also comes is a range of backdoor capabilities, with most of the message commands used for keeping persistence in the infected system, executing commands, or gathering information. The malware talks to the bot master at regular intervals and can store information about the host devices, including the process identifier, the victim’s IP address, free memory available, and its current configuration.
It also can take screenshots of the what’s on the display, then convert it to a PNG and send it to the bot master. It will create files with specific content, remote files, and fetch a file list from a specific path, get a list of processes the system is running and a detailed list of available network interfaces. NKAbuse also can run system commands executed on behalf of the device user, with the output sent through NKN to the bot master.
“Although relatively rare, new cross-platform flooders and backdoors like NKAbuse stand out through their utilization of less common communication protocols,” the researchers wrote. “This particular implant appears to have been meticulously crafted for integration into a botnet, yet it can adapt to functioning as a backdoor in a specific host.”
In addition, “its use of blockchain technology ensures both reliability and anonymity, which indicates the potential for this botnet to expand steadily over time, seemingly devoid of an identifiable central controller,” they wrote.
Recent Articles By Author